shaba/systemd-stable
1
1
Fork 0
mirror of https://github.com/systemd/systemd-stable.git synced 2024-10-27 01:55:32 +03:00
Code

Merge pull request #10744 from poettering/logind-lock-down

Browse Source 
units: lock down logind with fs namespacing options
This commit is contained in:
Lennart Poettering 2018-11-13 10:38:47 +01:00 committed by GitHub
commit 53a3e8fc7a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
units/systemd-logind.service.in
View File

@ -21,18 +21,26 @@ After=dbus.socket
[Service] [Service]
BusName=org.freedesktop.login1 BusName=org.freedesktop.login1
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
ExecStart=@rootlibexecdir@/systemd-logind ExecStart=@rootlibexecdir@/systemd-logind
FileDescriptorStoreMax=512 FileDescriptorStoreMax=512
IPAddressDeny=any IPAddressDeny=any
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectSystem=strict
ReadWritePaths=/etc
Restart=always Restart=always
RestartSec=0 RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK RestrictAddressFamilies=AF_UNIX AF_NETLINK
RestrictNamespaces=yes RestrictNamespaces=yes
RestrictRealtime=yes RestrictRealtime=yes
RuntimeDirectory=systemd/sessions systemd/seats systemd/users
RuntimeDirectoryPreserve=yes
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallErrorNumber=EPERM SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service SystemCallFilter=@system-service