From 99894b867f1293f56d181d62f5015c5a0a8adbda Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Tue, 19 Feb 2019 00:30:12 +0200 Subject: [PATCH] units: enable ProtectHostname=yes --- units/systemd-coredump@.service.in | 1 + units/systemd-hostnamed.service.in | 1 + units/systemd-importd.service.in | 1 + units/systemd-journal-gatewayd.service.in | 1 + units/systemd-journal-remote.service.in | 1 + units/systemd-journal-upload.service.in | 1 + units/systemd-journald.service.in | 1 + units/systemd-localed.service.in | 1 + units/systemd-logind.service.in | 1 + units/systemd-machined.service.in | 1 + units/systemd-networkd.service.in | 1 + units/systemd-portabled.service.in | 1 + units/systemd-resolved.service.in | 1 + units/systemd-timedated.service.in | 1 + units/systemd-timesyncd.service.in | 1 + units/systemd-udevd.service.in | 1 + 16 files changed, 16 insertions(+) diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index ffcb5f36ca..f6166fa11c 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -29,6 +29,7 @@ PrivateNetwork=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 9c925e80d9..62e9b28f5b 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -25,6 +25,7 @@ PrivateNetwork=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index 20704a8232..38b7d7e94b 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -20,6 +20,7 @@ KillMode=mixed CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE NoNewPrivileges=yes MemoryDenyWriteExecute=yes +ProtectHostname=yes RestrictRealtime=yes RestrictNamespaces=net RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index ebc8bf9a25..0f16ae4ccb 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -22,6 +22,7 @@ PrivateDevices=yes PrivateNetwork=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 29a99aaec1..71727295c3 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -23,6 +23,7 @@ PrivateNetwork=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index 92cd4e5259..10e4d657d3 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -22,6 +22,7 @@ NoNewPrivileges=yes PrivateDevices=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 4684f095c0..1807d73c68 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -23,6 +23,7 @@ IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +ProtectHostname=yes Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 01e0703d0e..a64e7e79a8 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -25,6 +25,7 @@ PrivateNetwork=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 38a7f269ac..fb6fda4907 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -28,6 +28,7 @@ IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +ProtectHostname=yes Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 9f1476814d..d6deefea08 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -23,6 +23,7 @@ IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +ProtectHostname=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes SystemCallArchitectures=native diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 472ef045de..5da0e1e330 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -27,6 +27,7 @@ MemoryDenyWriteExecute=yes NoNewPrivileges=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectSystem=strict Restart=on-failure diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in index a44cdb30a4..a8eab94d02 100644 --- a/units/systemd-portabled.service.in +++ b/units/systemd-portabled.service.in @@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1 WatchdogSec=3min CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD MemoryDenyWriteExecute=yes +ProtectHostname=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=@system-service @mount diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 3144b70063..eac3f31012 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -30,6 +30,7 @@ PrivateDevices=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 6d53024195..46ee8c894d 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -23,6 +23,7 @@ NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 03ade45d08..5313a90c30 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -29,6 +29,7 @@ PrivateDevices=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes +ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes ProtectSystem=strict diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 6a3814e5d9..fb98ca4d43 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -26,6 +26,7 @@ KillMode=mixed WatchdogSec=3min TasksMax=infinity PrivateMounts=yes +ProtectHostname=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6