units: enable ProtectHostname=yes

2019-02-19 00:30:12 +02:00 · 2019-02-19 00:30:12 +02:00 · 99894b867f
parent aecd5ac621
commit 99894b867f
16 changed files with 16 additions and 0 deletions
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@ -29,6 +29,7 @@ PrivateNetwork=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@ -25,6 +25,7 @@ PrivateNetwork=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@ -20,6 +20,7 @@ KillMode=mixed
 CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
 NoNewPrivileges=yes
 MemoryDenyWriteExecute=yes
+ProtectHostname=yes
 RestrictRealtime=yes
 RestrictNamespaces=net
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@ -22,6 +22,7 @@ PrivateDevices=yes
 PrivateNetwork=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@ -23,6 +23,7 @@ PrivateNetwork=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@ -22,6 +22,7 @@ NoNewPrivileges=yes
 PrivateDevices=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@ -23,6 +23,7 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectHostname=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@ -25,6 +25,7 @@ PrivateNetwork=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@ -28,6 +28,7 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectHostname=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@ -23,6 +23,7 @@ IPAddressDeny=any
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectHostname=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictRealtime=yes
 SystemCallArchitectures=native
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@ -27,6 +27,7 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectSystem=strict
 Restart=on-failure
--- a/units/systemd-portabled.service.in
+++ b/units/systemd-portabled.service.in
@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1
 WatchdogSec=3min
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
 MemoryDenyWriteExecute=yes
+ProtectHostname=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=@system-service @mount
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@ -30,6 +30,7 @@ PrivateDevices=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@ -23,6 +23,7 @@ NoNewPrivileges=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@ -29,6 +29,7 @@ PrivateDevices=yes
 PrivateTmp=yes
 ProtectControlGroups=yes
 ProtectHome=yes
+ProtectHostname=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
 ProtectSystem=strict
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@ -26,6 +26,7 @@ KillMode=mixed
 WatchdogSec=3min
 TasksMax=infinity
 PrivateMounts=yes
+ProtectHostname=yes
 MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6