mirror of
https://github.com/systemd/systemd-stable.git
synced 2025-01-25 06:03:40 +03:00
units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. Fixes: #1219
This commit is contained in:
Lennart Poettering
Zbigniew Jędrzejewski-Szmek
parent
52ef7bbbe6
commit
64d7f7b4a1
@ -22,6 +22,7 @@ IPAddressDeny=any
|
|||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
Nice=9
|
Nice=9
|
||||||
|
NoNewPrivileges=yes
|
||||||
OOMScoreAdjust=500
|
OOMScoreAdjust=500
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
|
|||||||
@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
|
|||||||
IPAddressDeny=any
|
IPAddressDeny=any
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
|||||||
@ -14,5 +14,6 @@ DefaultDependencies=no
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=@rootlibexecdir@/systemd-initctl
|
ExecStart=@rootlibexecdir@/systemd-initctl
|
||||||
|
NoNewPrivileges=yes
|
||||||
NotifyAccess=all
|
NotifyAccess=all
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
|||||||
@ -17,6 +17,7 @@ DynamicUser=yes
|
|||||||
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
|
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
|
|||||||
@ -17,6 +17,7 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
|
|||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
LogsDirectory=journal/remote
|
LogsDirectory=journal/remote
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
|||||||
@ -18,6 +18,7 @@ DynamicUser=yes
|
|||||||
ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
|
ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
|
|||||||
@ -22,6 +22,7 @@ FileDescriptorStoreMax=4224
|
|||||||
IPAddressDeny=any
|
IPAddressDeny=any
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||||
|
|||||||
@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-localed
|
|||||||
IPAddressDeny=any
|
IPAddressDeny=any
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
|||||||
@ -27,6 +27,7 @@ FileDescriptorStoreMax=512
|
|||||||
IPAddressDeny=any
|
IPAddressDeny=any
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||||
|
|||||||
@ -22,6 +22,7 @@ ExecStart=@rootlibexecdir@/systemd-machined
|
|||||||
IPAddressDeny=any
|
IPAddressDeny=any
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
|||||||
@ -24,6 +24,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
|
|||||||
ExecStart=!!@rootlibexecdir@/systemd-networkd
|
ExecStart=!!@rootlibexecdir@/systemd-networkd
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
|
|||||||
@ -25,6 +25,7 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|||||||
ExecStart=!!@rootlibexecdir@/systemd-resolved
|
ExecStart=!!@rootlibexecdir@/systemd-resolved
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
|
|||||||
@ -18,6 +18,7 @@ Before=shutdown.target
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=@rootlibexecdir@/systemd-rfkill
|
ExecStart=@rootlibexecdir@/systemd-rfkill
|
||||||
|
NoNewPrivileges=yes
|
||||||
StateDirectory=systemd/rfkill
|
StateDirectory=systemd/rfkill
|
||||||
TimeoutSec=30s
|
TimeoutSec=30s
|
||||||
Type=notify
|
Type=notify
|
||||||
|
|||||||
@ -19,6 +19,7 @@ ExecStart=@rootlibexecdir@/systemd-timedated
|
|||||||
IPAddressDeny=any
|
IPAddressDeny=any
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
|
|||||||
@ -24,6 +24,7 @@ CapabilityBoundingSet=CAP_SYS_TIME
|
|||||||
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
|
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user