mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
units: prohibit all IP traffic on all our long-running services (#6921)
Let's lock things down further.
This commit is contained in:
parent
07883f198d
commit
0a9b166b43
@ -34,4 +34,5 @@ RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||
SystemCallArchitectures=native
|
||||
LockPersonality=yes
|
||||
IPAddressDeny=any
|
||||
StateDirectory=systemd/coredump
|
||||
|
@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||
SystemCallArchitectures=native
|
||||
LockPersonality=yes
|
||||
IPAddressDeny=any
|
||||
ReadWritePaths=/etc
|
||||
|
@ -30,6 +30,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||
SystemCallArchitectures=native
|
||||
LockPersonality=yes
|
||||
IPAddressDeny=any
|
||||
|
||||
# Increase the default a bit in order to allow many simultaneous
|
||||
# services being run since we keep one fd open per service. Also, when
|
||||
|
@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||
SystemCallArchitectures=native
|
||||
LockPersonality=yes
|
||||
IPAddressDeny=any
|
||||
ReadWritePaths=/etc
|
||||
|
@ -31,6 +31,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
|
||||
SystemCallArchitectures=native
|
||||
LockPersonality=yes
|
||||
IPAddressDeny=any
|
||||
FileDescriptorStoreMax=512
|
||||
|
||||
# Increase the default a bit in order to allow many simultaneous
|
||||
|
@ -24,6 +24,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
|
||||
SystemCallArchitectures=native
|
||||
LockPersonality=yes
|
||||
IPAddressDeny=any
|
||||
|
||||
# Note that machined cannot be placed in a mount namespace, since it
|
||||
# needs access to the host's mount namespace in order to implement the
|
||||
|
@ -28,4 +28,5 @@ RestrictAddressFamilies=AF_UNIX
|
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||
SystemCallArchitectures=native
|
||||
LockPersonality=yes
|
||||
IPAddressDeny=any
|
||||
ReadWritePaths=/etc
|
||||
|
@ -29,3 +29,4 @@ RestrictRealtime=yes
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
SystemCallArchitectures=native
|
||||
LockPersonality=yes
|
||||
IPAddressDeny=any
|
||||
|
Loading…
Reference in New Issue
Block a user