summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--units/systemd-journald.service.in1
-rw-r--r--units/systemd-logind.service.in5
-rw-r--r--units/systemd-networkd.service.in1
-rw-r--r--units/systemd-timedated.service.in1
4 files changed, 8 insertions, 0 deletions
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index fab405502a..323334f6a3 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -17,6 +17,7 @@ Before=sysinit.target
[Service]
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+DeviceAllow=char-* rw
ExecStart=@rootlibexecdir@/systemd-journald
FileDescriptorStoreMax=4224
IPAddressDeny=any
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index 8a7262776f..1b37290d4f 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -22,6 +22,11 @@ After=dbus.socket
[Service]
BusName=org.freedesktop.login1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE
+DeviceAllow=char-/dev/console rw
+DeviceAllow=char-drm rw
+DeviceAllow=char-input rw
+DeviceAllow=char-tty rw
+DeviceAllow=char-vcs rw
ExecStart=@rootlibexecdir@/systemd-logind
FileDescriptorStoreMax=512
IPAddressDeny=any
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 2c74da6f1e..9ea3bb914e 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -21,6 +21,7 @@ Wants=network.target
[Service]
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW
+DeviceAllow=char-* rw
ExecStart=!!@rootlibexecdir@/systemd-networkd
LockPersonality=yes
MemoryDenyWriteExecute=yes
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index df546f471f..d430ee2017 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -15,6 +15,7 @@ Documentation=https://www.freedesktop.org/wiki/Software/systemd/timedated
[Service]
BusName=org.freedesktop.timedate1
CapabilityBoundingSet=CAP_SYS_TIME
+DeviceAllow=char-rtc r
ExecStart=@rootlibexecdir@/systemd-timedated
IPAddressDeny=any
LockPersonality=yes
View Lorry Controller Status