From bff8f2543b27d44d8b245eb78ad7e47607d4a53f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 14 Sep 2017 19:45:40 +0200 Subject: [PATCH] units: set LockPersonality= for all our long-running services (#6819) Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent. --- TODO | 2 -- units/systemd-coredump@.service.in | 1 + units/systemd-hostnamed.service.in | 1 + units/systemd-importd.service.in | 1 + units/systemd-journal-gatewayd.service.in | 1 + units/systemd-journal-remote.service.in | 1 + units/systemd-journal-upload.service.in | 1 + units/systemd-journald.service.in | 1 + units/systemd-localed.service.in | 1 + units/systemd-logind.service.in | 1 + units/systemd-machined.service.in | 1 + units/systemd-networkd.service.in | 1 + units/systemd-resolved.service.in | 1 + units/systemd-timedated.service.in | 1 + units/systemd-timesyncd.service.in | 1 + units/systemd-udevd.service.in | 1 + 16 files changed, 15 insertions(+), 2 deletions(-) diff --git a/TODO b/TODO index e65733e334..cabba100a5 100644 --- a/TODO +++ b/TODO @@ -27,8 +27,6 @@ Features: * dissect: when we discover squashfs, don't claim we had a "writable" partition in systemd-dissect -* set LockPersonality= on all our services - * Add AddUser= setting to unit files, similar to DynamicUser=1 which however creates a static, persistent user rather than a dynamic, transient user. We can leverage code from sysusers.d for this. diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index c699a80f34..d7eaf3398e 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -33,4 +33,5 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes StateDirectory=systemd/coredump diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index d29e9ff81b..9bb5ad8cac 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -29,4 +29,5 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes ReadWritePaths=/etc diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index 58762055eb..695a5f21cb 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -23,3 +23,4 @@ RestrictNamespaces=net RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index fd7a9718f7..b24d698c8a 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -25,6 +25,7 @@ RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=native +LockPersonality=yes # If there are many split upjournal files we need a lot of fds to # access them all and combine diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index c24e673d82..92cec21c2f 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -27,6 +27,7 @@ RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=native +LockPersonality=yes LogsDirectory=journal/remote [Install] diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index b0bee3925e..98a4b2bb7a 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -28,6 +28,7 @@ RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallArchitectures=native +LockPersonality=yes StateDirectory=systemd/journal-upload # If there are many split up journal files we need a lot of fds to diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 1e86d63648..07e03e736e 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -29,6 +29,7 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes # Increase the default a bit in order to allow many simultaneous # services being run since we keep one fd open per service. Also, when diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 90a913881a..1366fa7910 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -29,4 +29,5 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes ReadWritePaths=/etc diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index f851373658..f6daf7755c 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -30,6 +30,7 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes FileDescriptorStoreMax=512 # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index a4f86aa7c8..fb4df38293 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -23,6 +23,7 @@ RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 3f0ad77b7d..932dd63964 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -34,6 +34,7 @@ RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes RuntimeDirectory=systemd/netif RuntimeDirectoryPreserve=yes diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index ba8d3f6bb1..cda83ee966 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -36,6 +36,7 @@ RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes RuntimeDirectory=systemd/resolve RuntimeDirectoryPreserve=yes diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 2b5f0744c9..9fca1d1905 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -27,4 +27,5 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes ReadWritePaths=/etc diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index a6e14d24d1..8d3f46cf5e 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -38,6 +38,7 @@ RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native +LockPersonality=yes StateDirectory=systemd/timesync [Install] diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 3b92c6a866..d3d13ed7cf 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -28,3 +28,4 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallArchitectures=native +LockPersonality=yes