13 files changed, 13 insertions, 0 deletions

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index afb2ab9d17..951faa62a1 100644
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -32,6 +32,7 @@ ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 1fbbafdd6f..1365d749ca 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -27,6 +27,7 @@ ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index 50f774512b..8071395e68 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -24,6 +24,7 @@ ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 7f5238802f..6181d15d77 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -26,6 +26,7 @@ ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index 33ef3b8dca..2f1cce8518 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -24,6 +24,7 @@ ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index f9a81fa8dd..10ecff5184 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -28,6 +28,7 @@ ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index ef802a4e6f..ccbe631586 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -41,6 +41,7 @@ ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 ReadWritePaths=/etc /run
 Restart=always
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 3db0281f81..fa344d487d 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -24,6 +24,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 ProtectHostname=yes
+ProtectKernelLogs=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 SystemCallArchitectures=native
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index ed985f64fa..01931665a4 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -29,6 +29,7 @@ NoNewPrivileges=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 Restart=on-failure
 RestartSec=0
diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
index fb79f454fd..3051fbd3d0 100644
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 MemoryDenyWriteExecute=yes
 ProtectHostname=yes
+ProtectKernelLogs=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=@system-service @mount
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 22cb202363..f73697832c 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -32,6 +32,7 @@ ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 Restart=always
 RestartSec=0
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 819cb4dba2..87859f4aef 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -27,6 +27,7 @@ ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 1a866fcc7a..f0486a70ab 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -32,6 +32,7 @@ ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectKernelLogs=yes
 ProtectSystem=strict
 Restart=always
 RestartSec=0