units: set ProtectKernelLogs=yes on relevant units

We set ProtectKernelLogs=yes on all long running services except for udevd, since it accesses /dev/kmsg, and journald, since it calls syslog and accesses /dev/kmsg.
author: Kevin Kuehler <keur@xcf.berkeley.edu> 2019-11-13 16:56:23 -0800
committer: Kevin Kuehler <keur@xcf.berkeley.edu> 2019-11-15 00:59:54 -0800
commit: 6168ae5840bf206b1d1f88d5173fb292230f56a8 (patch)
tree: 1048330b903602686dc56cd5986cfeb226d08740 /units/systemd-machined.service.in
parent: 806aea3879ca86355af24a7c36cdbf7432b0c7c7 (diff)
download: systemd-6168ae5840bf206b1d1f88d5173fb292230f56a8.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 3db0281f81..fa344d487d 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -24,6 +24,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 ProtectHostname=yes
+ProtectKernelLogs=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 SystemCallArchitectures=native
author	Kevin Kuehler <keur@xcf.berkeley.edu>	2019-11-13 16:56:23 -0800
committer	Kevin Kuehler <keur@xcf.berkeley.edu>	2019-11-15 00:59:54 -0800
commit	6168ae5840bf206b1d1f88d5173fb292230f56a8 (patch)
tree	1048330b903602686dc56cd5986cfeb226d08740 /units/systemd-machined.service.in
parent	806aea3879ca86355af24a7c36cdbf7432b0c7c7 (diff)
download	systemd-6168ae5840bf206b1d1f88d5173fb292230f56a8.tar.gz