From 6489ccfe48bb21a43694b60173a49d140b4fb91f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 9 Feb 2017 11:22:08 +0100 Subject: [PATCH] units: make use of @reboot and @swap in our long-running service SystemCallFilter= settings Tighten security up a bit more. --- units/systemd-hostnamed.service.in | 2 +- units/systemd-importd.service.in | 2 +- units/systemd-journald.service.in | 2 +- units/systemd-localed.service.in | 2 +- units/systemd-logind.service.in | 2 +- units/systemd-machined.service.in | 2 +- units/systemd-networkd.service.m4.in | 2 +- units/systemd-resolved.service.m4.in | 2 +- units/systemd-timedated.service.in | 2 +- units/systemd-timesyncd.service.in | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 85410adc72..01a8ec9f57 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -27,6 +27,6 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/etc diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index de2431739f..75585d5dbc 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -21,5 +21,5 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=net RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index adabedd977..64253f59d4 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -28,7 +28,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index a41e30bfdf..f76012a34c 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -27,6 +27,6 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/etc diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 93abeb3dca..e20a3ad057 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -29,7 +29,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 3c46d04f64..0b0bbf272c 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -20,7 +20,7 @@ CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_C MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native # Note that machined cannot be placed in a mount namespace, since it diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in index d33deb97b6..c3f153046a 100644 --- a/units/systemd-networkd.service.m4.in +++ b/units/systemd-networkd.service.m4.in @@ -35,7 +35,7 @@ ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/run/systemd diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in index 08f0a85aea..820e299168 100644 --- a/units/systemd-resolved.service.m4.in +++ b/units/systemd-resolved.service.m4.in @@ -35,7 +35,7 @@ ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/run/systemd diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 2881e122dc..f691f47517 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -25,6 +25,6 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/etc diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index ab48a7aa30..8d328bb80a 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -35,7 +35,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/var/lib/systemd