units: enable MemoryDenyWriteExecute (#3459)

Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute. Closes: #3459
2016-06-08 12:23:37 +00:00 · 2016-06-08 12:23:37 +00:00 · 40652ca479
parent b9c59555b1
commit 40652ca479
10 changed files with 10 additions and 0 deletions
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@ -20,3 +20,4 @@ PrivateDevices=yes
 PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
+MemoryDenyWriteExecute=yes
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@ -17,3 +17,4 @@ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_
 NoNewPrivileges=yes
 WatchdogSec=3min
 KillMode=mixed
+MemoryDenyWriteExecute=yes
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@ -24,6 +24,7 @@ StandardOutput=null
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
 WatchdogSec=3min
 FileDescriptorStoreMax=1024
+MemoryDenyWriteExecute=yes

 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@ -20,3 +20,4 @@ PrivateDevices=yes
 PrivateNetwork=yes
 ProtectSystem=yes
 ProtectHome=yes
+MemoryDenyWriteExecute=yes
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@ -25,6 +25,7 @@ RestartSec=0
 BusName=org.freedesktop.login1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes

 # Increase the default a bit in order to allow many simultaneous
 # logins since we keep one fd open per session.
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@ -17,6 +17,7 @@ ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes

 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@ -31,6 +31,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
 ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes

 [Install]
 WantedBy=multi-user.target
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@ -27,6 +27,7 @@ CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRI
 ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes

 [Install]
 WantedBy=multi-user.target
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@ -18,3 +18,4 @@ WatchdogSec=3min
 PrivateTmp=yes
 ProtectSystem=yes
 ProtectHome=yes
+MemoryDenyWriteExecute=yes
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@ -28,6 +28,7 @@ PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=3min
+MemoryDenyWriteExecute=yes

 [Install]
 WantedBy=sysinit.target