units: prohibit all IP traffic on all our long-running services (#6921)

Let's lock things down further.
2017-10-04 14:16:28 +02:00 · 2017-10-04 14:16:28 +02:00 · 0a9b166b43
parent 07883f198d
commit 0a9b166b43
8 changed files with 8 additions and 0 deletions
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@ -34,4 +34,5 @@ RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 LockPersonality=yes
+IPAddressDeny=any
 StateDirectory=systemd/coredump
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 LockPersonality=yes
+IPAddressDeny=any
 ReadWritePaths=/etc
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@ -30,6 +30,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 LockPersonality=yes
+IPAddressDeny=any

 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 LockPersonality=yes
+IPAddressDeny=any
 ReadWritePaths=/etc
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@ -31,6 +31,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 LockPersonality=yes
+IPAddressDeny=any
 FileDescriptorStoreMax=512

 # Increase the default a bit in order to allow many simultaneous
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@ -24,6 +24,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 LockPersonality=yes
+IPAddressDeny=any

 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@ -28,4 +28,5 @@ RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 LockPersonality=yes
+IPAddressDeny=any
 ReadWritePaths=/etc
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@ -29,3 +29,4 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallArchitectures=native
 LockPersonality=yes
+IPAddressDeny=any