1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

units: turn on ProtectProc= wherever suitable

This commit is contained in:
Lennart Poettering 2020-08-06 14:50:38 +02:00
parent ed125c936c
commit 24da96a1bd
11 changed files with 22 additions and 12 deletions

View File

@ -23,11 +23,12 @@ NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
ReadWritePaths=/etc ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=AF_UNIX

View File

@ -19,12 +19,13 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
PrivateDevices=yes PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes RestrictNamespaces=yes
RestrictRealtime=yes RestrictRealtime=yes

View File

@ -21,13 +21,14 @@ NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectClock=yes ProtectClock=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes RestrictNamespaces=yes

View File

@ -19,12 +19,13 @@ ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
PrivateDevices=yes PrivateDevices=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes RestrictNamespaces=yes
RestrictRealtime=yes RestrictRealtime=yes

View File

@ -23,12 +23,13 @@ NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
ReadWritePaths=/etc ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=AF_UNIX

View File

@ -28,7 +28,6 @@ DeviceAllow=char-drm rw
DeviceAllow=char-input rw DeviceAllow=char-input rw
DeviceAllow=char-tty rw DeviceAllow=char-tty rw
DeviceAllow=char-vcs rw DeviceAllow=char-vcs rw
# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
ExecStart=@rootlibexecdir@/systemd-logind ExecStart=@rootlibexecdir@/systemd-logind
FileDescriptorStoreMax=512 FileDescriptorStoreMax=512
IPAddressDeny=any IPAddressDeny=any
@ -36,12 +35,13 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectClock=yes ProtectClock=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectSystem=strict ProtectSystem=strict
ReadWritePaths=/etc /run ReadWritePaths=/etc /run
Restart=always Restart=always

View File

@ -26,13 +26,15 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
ProtectProc=invisible
ProtectClock=yes ProtectClock=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectSystem=strict ProtectSystem=strict
Restart=on-failure Restart=on-failure
RestartKillSignal=SIGUSR2
RestartSec=0 RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG
RestrictNamespaces=yes RestrictNamespaces=yes
@ -44,7 +46,6 @@ SystemCallArchitectures=native
SystemCallErrorNumber=EPERM SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service SystemCallFilter=@system-service
Type=notify Type=notify
RestartKillSignal=SIGUSR2
User=systemd-network User=systemd-network
@SERVICE_WATCHDOG@ @SERVICE_WATCHDOG@

View File

@ -28,12 +28,13 @@ MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectClock=yes ProtectClock=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
Restart=always Restart=always
RestartSec=0 RestartSec=0

View File

@ -22,12 +22,13 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
ReadWritePaths=/etc ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=AF_UNIX

View File

@ -27,12 +27,13 @@ MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
Restart=always Restart=always
RestartSec=0 RestartSec=0

View File

@ -24,6 +24,7 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes