mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-10-27 01:55:32 +03:00
units: lock down systemd-logind.service with various fs namespacing options
now that logind doesn't mount $XDG_RUNTIME_DIR anymore we can lock down the service using fs namespacing (as we don't need the mount to propagate to the host namespace anymore).
This commit is contained in:
Lennart Poettering
parent
1bded6b28f
commit
45ae3f6117
@ -28,11 +28,19 @@ IPAddressDeny=any
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
PrivateTmp=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectSystem=strict
|
||||
ReadWritePaths=/etc
|
||||
Restart=always
|
||||
RestartSec=0
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RuntimeDirectory=systemd/sessions systemd/seats systemd/users
|
||||
RuntimeDirectoryPreserve=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallErrorNumber=EPERM
|
||||
SystemCallFilter=@system-service
|
||||
|
||||
Loading…
Reference in New Issue
Block a user