summaryrefslogtreecommitdiff
path: root/units
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2019-02-20 14:12:15 +0100
committerGitHub <noreply@github.com>2019-02-20 14:12:15 +0100
commiteb5149ba7462e0e27a349fcf9f8514440b06067c (patch)
tree53895a7da8fcc6b4bf9eeb42f82fdf529bd750a3 /units
parent37ed15d7edaf59a1fc7c9e3552cd93a83f3814ef (diff)
parent99894b867f1293f56d181d62f5015c5a0a8adbda (diff)
downloadsystemd-eb5149ba7462e0e27a349fcf9f8514440b06067c.tar.gz
Merge pull request #11682 from topimiettinen/private-utsname
core: ProtectHostname feature
Diffstat (limited to 'units')
-rw-r--r--units/systemd-coredump@.service.in1
-rw-r--r--units/systemd-hostnamed.service.in1
-rw-r--r--units/systemd-importd.service.in1
-rw-r--r--units/systemd-journal-gatewayd.service.in1
-rw-r--r--units/systemd-journal-remote.service.in1
-rw-r--r--units/systemd-journal-upload.service.in1
-rw-r--r--units/systemd-journald.service.in1
-rw-r--r--units/systemd-localed.service.in1
-rw-r--r--units/systemd-logind.service.in1
-rw-r--r--units/systemd-machined.service.in1
-rw-r--r--units/systemd-networkd.service.in1
-rw-r--r--units/systemd-portabled.service.in1
-rw-r--r--units/systemd-resolved.service.in1
-rw-r--r--units/systemd-timedated.service.in1
-rw-r--r--units/systemd-timesyncd.service.in1
-rw-r--r--units/systemd-udevd.service.in1
16 files changed, 16 insertions, 0 deletions
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index ffcb5f36ca..f6166fa11c 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -29,6 +29,7 @@ PrivateNetwork=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 9c925e80d9..62e9b28f5b 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -25,6 +25,7 @@ PrivateNetwork=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 20704a8232..38b7d7e94b 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -20,6 +20,7 @@ KillMode=mixed
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
NoNewPrivileges=yes
MemoryDenyWriteExecute=yes
+ProtectHostname=yes
RestrictRealtime=yes
RestrictNamespaces=net
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index ebc8bf9a25..0f16ae4ccb 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -22,6 +22,7 @@ PrivateDevices=yes
PrivateNetwork=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 29a99aaec1..71727295c3 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -23,6 +23,7 @@ PrivateNetwork=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index 92cd4e5259..10e4d657d3 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -22,6 +22,7 @@ NoNewPrivileges=yes
PrivateDevices=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 4684f095c0..1807d73c68 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -23,6 +23,7 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
+ProtectHostname=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 01e0703d0e..a64e7e79a8 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -25,6 +25,7 @@ PrivateNetwork=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 38a7f269ac..fb6fda4907 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -28,6 +28,7 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
+ProtectHostname=yes
Restart=always
RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 9f1476814d..d6deefea08 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -23,6 +23,7 @@ IPAddressDeny=any
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
+ProtectHostname=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
SystemCallArchitectures=native
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 472ef045de..5da0e1e330 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -27,6 +27,7 @@ MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectSystem=strict
Restart=on-failure
diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
index a44cdb30a4..a8eab94d02 100644
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1
WatchdogSec=3min
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
MemoryDenyWriteExecute=yes
+ProtectHostname=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=@system-service @mount
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 3144b70063..eac3f31012 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -30,6 +30,7 @@ PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 6d53024195..46ee8c894d 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -23,6 +23,7 @@ NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 03ade45d08..5313a90c30 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -29,6 +29,7 @@ PrivateDevices=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
+ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 6a3814e5d9..fb98ca4d43 100644
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -26,6 +26,7 @@ KillMode=mixed
WatchdogSec=3min
TasksMax=infinity
PrivateMounts=yes
+ProtectHostname=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
View Lorry Controller Status