diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2020-04-02 21:18:11 +0300 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2020-04-07 15:37:14 +0200 |
commit | cabc1c6d7adae658a2966a4b02a6faabb803e92b (patch) | |
tree | 97d713454ae4cffbf17b841480df3008bf3f2752 /units | |
parent | c3362c2f97115d7eecac556cf70034992c46221d (diff) | |
download | systemd-cabc1c6d7adae658a2966a4b02a6faabb803e92b.tar.gz |
units: add ProtectClock=yes
Add `ProtectClock=yes` to systemd units. Since it implies certain
`DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so
they are still able to access other devices. Exclude timesyncd and timedated.
Diffstat (limited to 'units')
-rw-r--r-- | units/systemd-journal-remote.service.in | 1 | ||||
-rw-r--r-- | units/systemd-journald.service.in | 1 | ||||
-rw-r--r-- | units/systemd-logind.service.in | 1 | ||||
-rw-r--r-- | units/systemd-networkd.service.in | 1 | ||||
-rw-r--r-- | units/systemd-resolved.service.in | 1 | ||||
-rw-r--r-- | units/systemd-udevd.service.in | 3 |
6 files changed, 8 insertions, 0 deletions
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 6181d15d77..334f030caa 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -21,6 +21,7 @@ NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 5144868bcb..0cb1bfa3ca 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -25,6 +25,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes OOMScoreAdjust=-250 +ProtectClock=yes Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 23aa828591..ed573b8f3c 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -36,6 +36,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 1b69677496..2673146841 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -26,6 +26,7 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index f73697832c..5723f1c1e2 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 5eee69933b..f3ebaa18a6 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -16,6 +16,8 @@ Before=sysinit.target ConditionPathIsReadWrite=/sys [Service] +DeviceAllow=block-* rwm +DeviceAllow=char-* rwm Type=notify # Note that udev also adjusts the OOM score internally and will reset the value internally for its workers OOMScoreAdjust=-1000 @@ -27,6 +29,7 @@ ExecReload=udevadm control --reload --timeout 0 KillMode=mixed TasksMax=infinity PrivateMounts=yes +ProtectClock=yes ProtectHostname=yes MemoryDenyWriteExecute=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 |