units: turn on ProtectKernelModules= for most long-running services

2017-02-09 11:09:50 +01:00 · 2017-02-09 11:09:50 +01:00 · b6c7278c38
parent c7fb922d62
commit b6c7278c38
10 changed files with 10 additions and 0 deletions
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@ -24,3 +24,4 @@ ProtectSystem=strict
 RuntimeMaxSec=5min
 SystemCallArchitectures=native
 ReadWritePaths=/var/lib/systemd/coredump
 ProtectKernelModules=yes
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@ -22,6 +22,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@ -31,6 +31,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
 ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@ -31,6 +31,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@ -20,6 +20,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@ -30,6 +30,7 @@ ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
 ProtectKernelModules=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictNamespaces=yes