ee8f26180d
This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything.
43 lines
1.5 KiB
SYSTEMD
43 lines
1.5 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1+
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Journal Service
|
|
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
|
|
DefaultDependencies=no
|
|
Requires=systemd-journald.socket
|
|
After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket
|
|
Before=sysinit.target
|
|
|
|
[Service]
|
|
Type=notify
|
|
Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
|
|
ExecStart=@rootlibexecdir@/systemd-journald
|
|
Restart=always
|
|
RestartSec=0
|
|
StandardOutput=null
|
|
WatchdogSec=3min
|
|
FileDescriptorStoreMax=4224
|
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
|
|
MemoryDenyWriteExecute=yes
|
|
RestrictRealtime=yes
|
|
RestrictNamespaces=yes
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
|
SystemCallFilter=@system-service
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallArchitectures=native
|
|
LockPersonality=yes
|
|
IPAddressDeny=any
|
|
|
|
# Increase the default a bit in order to allow many simultaneous
|
|
# services being run since we keep one fd open per service. Also, when
|
|
# flushing journal files to disk, we might need a lot of fds when many
|
|
# journal files are combined.
|
|
LimitNOFILE=16384
|