0c28d51ac8
Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
43 lines
1.5 KiB
Plaintext
43 lines
1.5 KiB
Plaintext
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Network Service
|
|
Documentation=man:systemd-networkd.service(8)
|
|
ConditionCapability=CAP_NET_ADMIN
|
|
DefaultDependencies=no
|
|
# dbus.service can be dropped once on kdbus, and systemd-udevd.service can be
|
|
# dropped once tuntap is moved to netlink
|
|
After=systemd-udevd.service dbus.service network-pre.target systemd-sysusers.service systemd-sysctl.service
|
|
Before=network.target multi-user.target shutdown.target
|
|
Conflicts=shutdown.target
|
|
Wants=network.target
|
|
|
|
# On kdbus systems we pull in the busname explicitly, because it
|
|
# carries policy that allows the daemon to acquire its name.
|
|
Wants=org.freedesktop.network1.busname
|
|
After=org.freedesktop.network1.busname
|
|
|
|
[Service]
|
|
Type=notify
|
|
Restart=on-failure
|
|
RestartSec=0
|
|
ExecStart=@rootlibexecdir@/systemd-networkd
|
|
WatchdogSec=3min
|
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
|
ProtectSystem=full
|
|
ProtectHome=yes
|
|
ProtectControlGroups=yes
|
|
MemoryDenyWriteExecute=yes
|
|
RestrictRealtime=yes
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
|
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
Also=systemd-networkd.socket
|