diff options
-rw-r--r-- | units/systemd-coredump@.service.in | 1 | ||||
-rw-r--r-- | units/systemd-hostnamed.service.in | 1 | ||||
-rw-r--r-- | units/systemd-journald.service.in | 1 | ||||
-rw-r--r-- | units/systemd-localed.service.in | 1 | ||||
-rw-r--r-- | units/systemd-logind.service.in | 1 | ||||
-rw-r--r-- | units/systemd-machined.service.in | 1 | ||||
-rw-r--r-- | units/systemd-timedated.service.in | 1 | ||||
-rw-r--r-- | units/systemd-udevd.service.in | 1 |
8 files changed, 8 insertions, 0 deletions
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index d7eaf3398e..ef58f0cb3e 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -34,4 +34,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any StateDirectory=systemd/coredump diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 9bb5ad8cac..cfee2cbbf1 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any ReadWritePaths=/etc diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 07e03e736e..a747fe3f1f 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -30,6 +30,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any # Increase the default a bit in order to allow many simultaneous # services being run since we keep one fd open per service. Also, when diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 1366fa7910..5dd8b18894 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any ReadWritePaths=/etc diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index f6daf7755c..de380a27d3 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -31,6 +31,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any FileDescriptorStoreMax=512 # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index fb4df38293..03b9bf5c0d 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -24,6 +24,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 9fca1d1905..97130e93c3 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -28,4 +28,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any ReadWritePaths=/etc diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index d3d13ed7cf..03909f5d7f 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -29,3 +29,4 @@ RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any |