diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 1365d749ca4..923f32f6dbb 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -23,11 +23,12 @@ NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index 8071395e680..2436f2a2cf1 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -19,12 +19,13 @@ LockPersonality=yes MemoryDenyWriteExecute=yes PrivateDevices=yes PrivateNetwork=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 334f030caa9..82befc99127 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -21,13 +21,14 @@ NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes +ProtectProc=invisible ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index 2f1cce85187..8b9a9ebdfb3 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -19,12 +19,13 @@ ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state LockPersonality=yes MemoryDenyWriteExecute=yes PrivateDevices=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 10ecff5184a..69d25f67333 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -23,12 +23,13 @@ NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 0147b30e0db..ba1b9b791bc 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -28,7 +28,6 @@ DeviceAllow=char-drm rw DeviceAllow=char-input rw DeviceAllow=char-tty rw DeviceAllow=char-vcs rw -# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm ExecStart=@rootlibexecdir@/systemd-logind FileDescriptorStoreMax=512 IPAddressDeny=any @@ -36,12 +35,13 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes +ProtectProc=invisible ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes -ProtectKernelModules=yes ProtectKernelLogs=yes +ProtectKernelModules=yes ProtectSystem=strict ReadWritePaths=/etc /run Restart=always diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 26731468413..6ccbb5a95d0 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -26,13 +26,15 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +ProtectProc=invisible ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes -ProtectKernelModules=yes ProtectKernelLogs=yes +ProtectKernelModules=yes ProtectSystem=strict Restart=on-failure +RestartKillSignal=SIGUSR2 RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG RestrictNamespaces=yes @@ -44,7 +46,6 @@ SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service Type=notify -RestartKillSignal=SIGUSR2 User=systemd-network @SERVICE_WATCHDOG@ diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 5723f1c1e2e..ecfc999a922 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -28,12 +28,13 @@ MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes +ProtectProc=invisible ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict Restart=always RestartSec=0 diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 87859f4aef3..2d51c0f8934 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -22,12 +22,13 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateTmp=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 92ee94582cd..e27c74fca17 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -27,12 +27,13 @@ MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes +ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes -ProtectKernelLogs=yes ProtectSystem=strict Restart=always RestartSec=0 diff --git a/units/systemd-userdbd.service.in b/units/systemd-userdbd.service.in index 3b767053730..bbfd83a8f29 100644 --- a/units/systemd-userdbd.service.in +++ b/units/systemd-userdbd.service.in @@ -24,6 +24,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes +ProtectProc=invisible ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes