journal: limit caps we pass to journald

2024-12-22 13:33:56 +03:00 · 2012-02-09 02:06:13 +01:00 · 2012-02-09 02:06:13 +01:00 · ccd07a083e
commit ccd07a083e
parent cea6691857
2 changed files with 3 additions and 1 deletions
--- a/2
+++ b/2
@ -16,6 +16,8 @@ CHANGES WITH 41:
          understood to set system wide environment variables
          dynamically at boot.

+	* We now limit the set of capabilities of systemd-journald.
+
        Contributions from: Benjamin Franzke, Kay Sievers, Lennart
        Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen,
        William Douglas
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@ -18,7 +18,7 @@ After=syslog.socket
 ExecStart=@rootlibexecdir@/systemd-journald
 NotifyAccess=all
 StandardOutput=null
-#CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER

 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service.