summaryrefslogtreecommitdiff
path: root/units/systemd-journald.service.in
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-08-26 13:23:27 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-09-25 10:52:57 +0200
commit0c28d51ac84973904e5f780b024adf8108e69fa1 (patch)
tree733e50f1bc45a47c4a3123abcab41ea4cfe50ab1 /units/systemd-journald.service.in
parentf6eb19a474fdee780d5f2a4b62b5a55e6cbef4de (diff)
downloadsystemd-0c28d51ac84973904e5f780b024adf8108e69fa1.tar.gz
units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
Diffstat (limited to 'units/systemd-journald.service.in')
-rw-r--r--units/systemd-journald.service.in4
1 files changed, 3 insertions, 1 deletions
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 08ace8ae44..712ce55483 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -21,10 +21,12 @@ Restart=always
RestartSec=0
NotifyAccess=all
StandardOutput=null
-CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
WatchdogSec=3min
FileDescriptorStoreMax=1024
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
# Increase the default a bit in order to allow many simultaneous