From 0a9b166b43e9d035034beb929ed2c892094af9dc Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 4 Oct 2017 14:16:28 +0200 Subject: [PATCH] units: prohibit all IP traffic on all our long-running services (#6921) Let's lock things down further. --- units/systemd-coredump@.service.in | 1 + units/systemd-hostnamed.service.in | 1 + units/systemd-journald.service.in | 1 + units/systemd-localed.service.in | 1 + units/systemd-logind.service.in | 1 + units/systemd-machined.service.in | 1 + units/systemd-timedated.service.in | 1 + units/systemd-udevd.service.in | 1 + 8 files changed, 8 insertions(+) diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index d7eaf3398e7..ef58f0cb3ef 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -34,4 +34,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any StateDirectory=systemd/coredump diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 9bb5ad8cac0..cfee2cbbf19 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any ReadWritePaths=/etc diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 07e03e736ef..a747fe3f1f2 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -30,6 +30,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any # Increase the default a bit in order to allow many simultaneous # services being run since we keep one fd open per service. Also, when diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 1366fa79106..5dd8b188947 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any ReadWritePaths=/etc diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index f6daf7755cd..de380a27d38 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -31,6 +31,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any FileDescriptorStoreMax=512 # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index fb4df382931..03b9bf5c0db 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -24,6 +24,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 9fca1d1905d..97130e93c34 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -28,4 +28,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any ReadWritePaths=/etc diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index d3d13ed7cf2..03909f5d7ff 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -29,3 +29,4 @@ RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any