units: set LockPersonality= for all our long-running services (#6819)

Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.

TODO

@@ -27,8 +27,6 @@ Features:
 * dissect: when we discover squashfs, don't claim we had a "writable" partition
   in systemd-dissect
 
-* set LockPersonality= on all our services
-
 * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
   creates a static, persistent user rather than a dynamic, transient user. We
   can leverage code from sysusers.d for this.

units/systemd-coredump@.service.in

@@ -33,4 +33,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 StateDirectory=systemd/coredump

units/systemd-hostnamed.service.in

@@ -29,4 +29,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 ReadWritePaths=/etc

units/systemd-importd.service.in

@@ -23,3 +23,4 @@ RestrictNamespaces=net
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes

units/systemd-journal-gatewayd.service.in

@@ -25,6 +25,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes
 
 # If there are many split upjournal files we need a lot of fds to
 # access them all and combine

units/systemd-journal-remote.service.in

@@ -27,6 +27,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes
 LogsDirectory=journal/remote
 
 [Install]

units/systemd-journal-upload.service.in

@@ -28,6 +28,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes
 StateDirectory=systemd/journal-upload
 
 # If there are many split up journal files we need a lot of fds to

units/systemd-journald.service.in

@@ -29,6 +29,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when

units/systemd-localed.service.in

@@ -29,4 +29,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 ReadWritePaths=/etc

units/systemd-logind.service.in

@@ -30,6 +30,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 FileDescriptorStoreMax=512
 
 # Increase the default a bit in order to allow many simultaneous

units/systemd-machined.service.in

@@ -23,6 +23,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the

units/systemd-networkd.service.in

@@ -34,6 +34,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 RuntimeDirectory=systemd/netif
 RuntimeDirectoryPreserve=yes
 

units/systemd-resolved.service.in

@@ -36,6 +36,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 RuntimeDirectory=systemd/resolve
 RuntimeDirectoryPreserve=yes
 

units/systemd-timedated.service.in

@@ -27,4 +27,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 ReadWritePaths=/etc

units/systemd-timesyncd.service.in

@@ -38,6 +38,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 StateDirectory=systemd/timesync
 
 [Install]

units/systemd-udevd.service.in

@@ -28,3 +28,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes