units: switch on ProtectSystem=strict for our long running services

Let's step up the protection a notch
2025-02-02 09:47:03 +03:00 · 2017-02-09 10:58:28 +01:00 · 2017-02-09 10:58:28 +01:00 · c7fb922d62
commit c7fb922d62
parent 3c19d0b46b
10 changed files with 18 additions and 10 deletions
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@ -20,6 +20,7 @@ ExecStart=-@rootlibexecdir@/systemd-coredump
 Nice=9
 OOMScoreAdjust=500
 PrivateNetwork=yes
-ProtectSystem=full
+ProtectSystem=strict
 RuntimeMaxSec=5min
 SystemCallArchitectures=native
+ReadWritePaths=/var/lib/systemd/coredump
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@ -18,7 +18,7 @@ CapabilityBoundingSet=CAP_SYS_ADMIN
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=yes
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@ -28,3 +28,4 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/etc
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@ -18,7 +18,7 @@ SupplementaryGroups=systemd-journal
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@ -18,7 +18,7 @@ WatchdogSec=3min
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@ -27,6 +27,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+ReadWritePaths=/var/log/journal/remote

 [Install]
 Also=systemd-journal-remote.socket
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@ -18,7 +18,7 @@ SupplementaryGroups=systemd-journal
 WatchdogSec=3min
 PrivateTmp=yes
 PrivateDevices=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@ -18,7 +18,7 @@ CapabilityBoundingSet=
 PrivateTmp=yes
 PrivateDevices=yes
 PrivateNetwork=yes
-ProtectSystem=yes
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@ -28,3 +28,4 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/etc
--- a/units/systemd-networkd.service.m4.in
+++ b/units/systemd-networkd.service.m4.in
@ -28,7 +28,7 @@ RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-networkd
 WatchdogSec=3min
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 MemoryDenyWriteExecute=yes
@ -36,6 +36,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/run/systemd

 [Install]
 WantedBy=multi-user.target
--- a/units/systemd-resolved.service.m4.in
+++ b/units/systemd-resolved.service.m4.in
@ -27,7 +27,7 @@ WatchdogSec=3min
 CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_NET_RAW CAP_NET_BIND_SERVICE
 PrivateTmp=yes
 PrivateDevices=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@ -36,6 +36,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/run/systemd

 [Install]
 WantedBy=multi-user.target
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@ -16,7 +16,7 @@ BusName=org.freedesktop.timedate1
 WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_TIME
 PrivateTmp=yes
-ProtectSystem=yes
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@ -26,3 +26,4 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/etc
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@ -26,7 +26,7 @@ WatchdogSec=3min
 CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
 PrivateTmp=yes
 PrivateDevices=yes
-ProtectSystem=full
+ProtectSystem=strict
 ProtectHome=yes
 ProtectControlGroups=yes
 ProtectKernelTunables=yes
@ -36,6 +36,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
 SystemCallArchitectures=native
+ReadWritePaths=/var/lib/systemd

 [Install]
 WantedBy=sysinit.target