mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-10-27 01:55:32 +03:00
Merge pull request #10744 from poettering/logind-lock-down
units: lock down logind with fs namespacing options
This commit is contained in:
commit
53a3e8fc7a
@ -21,18 +21,26 @@ After=dbus.socket
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
BusName=org.freedesktop.login1
|
BusName=org.freedesktop.login1
|
||||||
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
|
||||||
ExecStart=@rootlibexecdir@/systemd-logind
|
ExecStart=@rootlibexecdir@/systemd-logind
|
||||||
FileDescriptorStoreMax=512
|
FileDescriptorStoreMax=512
|
||||||
IPAddressDeny=any
|
IPAddressDeny=any
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectHome=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectSystem=strict
|
||||||
|
ReadWritePaths=/etc
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
|
RuntimeDirectory=systemd/sessions systemd/seats systemd/users
|
||||||
|
RuntimeDirectoryPreserve=yes
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
SystemCallErrorNumber=EPERM
|
SystemCallErrorNumber=EPERM
|
||||||
SystemCallFilter=@system-service
|
SystemCallFilter=@system-service
|
||||||
|
Loading…
Reference in New Issue
Block a user