diff options
| author | Topi Miettinen <toiwoton@gmail.com> | 2019-05-01 15:28:36 +0300 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2019-06-20 14:03:57 +0200 |
| commit | 9af2820694e1b2d409ed35cf0bca00acab0bdec5 (patch) | |
| tree | bfb51a766ad692b4d6b17ee5519d6c0753f7a334 /units/systemd-journald.service.in | |
| parent | 762267cdc117895dd2b50657ebd6ea085a1aff8a (diff) | |
| download | systemd-9af2820694e1b2d409ed35cf0bca00acab0bdec5.tar.gz | |
units: deny access to block devices
While the need for access to character devices can be tricky to determine for
the general case, it's obvious that most of our services have no need to access
block devices. For logind and timedated this can be tightened further.
Diffstat (limited to 'units/systemd-journald.service.in')
| -rw-r--r-- | units/systemd-journald.service.in | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index fab405502a..323334f6a3 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -17,6 +17,7 @@ Before=sysinit.target [Service] CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE +DeviceAllow=char-* rw ExecStart=@rootlibexecdir@/systemd-journald FileDescriptorStoreMax=4224 IPAddressDeny=any |