From 1bded6b28fe13a06eba4882890dd0ffc7739e201 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 12 Nov 2018 17:57:45 +0100 Subject: [PATCH 1/2] logind: drop CAP_KILL from caps bounding set logind doesn't kill any processes anymore, hence let's drop the capability. --- units/systemd-logind.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 38a7f269ac..ff1fd96765 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -21,7 +21,7 @@ After=dbus.socket [Service] BusName=org.freedesktop.login1 -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG ExecStart=@rootlibexecdir@/systemd-logind FileDescriptorStoreMax=512 IPAddressDeny=any From 45ae3f6117266648a1d82405d48594ec188e4b9d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 12 Nov 2018 18:08:48 +0100 Subject: [PATCH 2/2] units: lock down systemd-logind.service with various fs namespacing options now that logind doesn't mount $XDG_RUNTIME_DIR anymore we can lock down the service using fs namespacing (as we don't need the mount to propagate to the host namespace anymore). --- units/systemd-logind.service.in | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index ff1fd96765..6886fa9bfe 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -28,11 +28,19 @@ IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelModules=yes +ProtectSystem=strict +ReadWritePaths=/etc Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes +RuntimeDirectory=systemd/sessions systemd/seats systemd/users +RuntimeDirectoryPreserve=yes SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service