diff options
| -rw-r--r-- | units/systemd-journal-remote.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-journald.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-logind.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-networkd.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-resolved.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-udevd.service.in | 3 |
6 files changed, 8 insertions, 0 deletions
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 6181d15d77..334f030caa 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -21,6 +21,7 @@ NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 5144868bcb..0cb1bfa3ca 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -25,6 +25,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes OOMScoreAdjust=-250 +ProtectClock=yes Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 23aa828591..ed573b8f3c 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -36,6 +36,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 1b69677496..2673146841 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -26,6 +26,7 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index f73697832c..5723f1c1e2 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 5eee69933b..f3ebaa18a6 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -16,6 +16,8 @@ Before=sysinit.target ConditionPathIsReadWrite=/sys [Service] +DeviceAllow=block-* rwm +DeviceAllow=char-* rwm Type=notify # Note that udev also adjusts the OOM score internally and will reset the value internally for its workers OOMScoreAdjust=-1000 @@ -27,6 +29,7 @@ ExecReload=udevadm control --reload --timeout 0 KillMode=mixed TasksMax=infinity PrivateMounts=yes +ProtectClock=yes ProtectHostname=yes MemoryDenyWriteExecute=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 |