units: set ProtectKernelLogs=yes on relevant units
We set ProtectKernelLogs=yes on all long running services except for udevd, since it accesses /dev/kmsg, and journald, since it calls syslog and accesses /dev/kmsg.
This commit is contained in:
Kevin Kuehler
parent
806aea3879
commit
6168ae5840
|
|
@ -32,6 +32,7 @@ ProtectHome=yes
|
|||
ProtectHostname=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectSystem=strict
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
RestrictNamespaces=yes
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ ProtectControlGroups=yes
|
|||
ProtectHome=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ ProtectHome=yes
|
|||
ProtectHostname=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
|
|
|
|||
|
|
@ -26,6 +26,7 @@ ProtectHome=yes
|
|||
ProtectHostname=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectSystem=strict
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ ProtectHome=yes
|
|||
ProtectHostname=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
|
|
|
|||
|
|
@ -28,6 +28,7 @@ ProtectHome=yes
|
|||
ProtectHostname=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
|
|
|
|||
|
|
@ -41,6 +41,7 @@ ProtectControlGroups=yes
|
|||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc /run
|
||||
Restart=always
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ LockPersonality=yes
|
|||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
RestrictRealtime=yes
|
||||
SystemCallArchitectures=native
|
||||
|
|
|
|||
|
|
@ -29,6 +29,7 @@ NoNewPrivileges=yes
|
|||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectSystem=strict
|
||||
Restart=on-failure
|
||||
RestartSec=0
|
||||
|
|
|
|||
|
|
@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1
|
|||
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
|
||||
MemoryDenyWriteExecute=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
SystemCallFilter=@system-service @mount
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ ProtectControlGroups=yes
|
|||
ProtectHome=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectSystem=strict
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
|
|
|
|||
|
|
@ -27,6 +27,7 @@ ProtectHome=yes
|
|||
ProtectHostname=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
|
|
|
|||
|
|
@ -32,6 +32,7 @@ ProtectHome=yes
|
|||
ProtectHostname=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectSystem=strict
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
|
|
|
|||
Loading…
Reference in New Issue