mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
units: turn on ProtectProc= wherever suitable
This commit is contained in:
parent
ed125c936c
commit
24da96a1bd
@ -23,11 +23,12 @@ NoNewPrivileges=yes
|
|||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
ProtectKernelLogs=yes
|
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
ReadWritePaths=/etc
|
ReadWritePaths=/etc
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
|
@ -19,12 +19,13 @@ LockPersonality=yes
|
|||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
ProtectKernelLogs=yes
|
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
|
@ -21,13 +21,14 @@ NoNewPrivileges=yes
|
|||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectClock=yes
|
ProtectClock=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
ProtectKernelLogs=yes
|
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
|
@ -19,12 +19,13 @@ ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
|
|||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
ProtectKernelLogs=yes
|
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
|
@ -23,12 +23,13 @@ NoNewPrivileges=yes
|
|||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
ProtectKernelLogs=yes
|
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
ReadWritePaths=/etc
|
ReadWritePaths=/etc
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
|
@ -28,7 +28,6 @@ DeviceAllow=char-drm rw
|
|||||||
DeviceAllow=char-input rw
|
DeviceAllow=char-input rw
|
||||||
DeviceAllow=char-tty rw
|
DeviceAllow=char-tty rw
|
||||||
DeviceAllow=char-vcs rw
|
DeviceAllow=char-vcs rw
|
||||||
# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
|
|
||||||
ExecStart=@rootlibexecdir@/systemd-logind
|
ExecStart=@rootlibexecdir@/systemd-logind
|
||||||
FileDescriptorStoreMax=512
|
FileDescriptorStoreMax=512
|
||||||
IPAddressDeny=any
|
IPAddressDeny=any
|
||||||
@ -36,12 +35,13 @@ LockPersonality=yes
|
|||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectClock=yes
|
ProtectClock=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
ProtectKernelModules=yes
|
|
||||||
ProtectKernelLogs=yes
|
ProtectKernelLogs=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
ReadWritePaths=/etc /run
|
ReadWritePaths=/etc /run
|
||||||
Restart=always
|
Restart=always
|
||||||
|
@ -26,13 +26,15 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd
|
|||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectClock=yes
|
ProtectClock=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectKernelModules=yes
|
|
||||||
ProtectKernelLogs=yes
|
ProtectKernelLogs=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
Restart=on-failure
|
Restart=on-failure
|
||||||
|
RestartKillSignal=SIGUSR2
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
@ -44,7 +46,6 @@ SystemCallArchitectures=native
|
|||||||
SystemCallErrorNumber=EPERM
|
SystemCallErrorNumber=EPERM
|
||||||
SystemCallFilter=@system-service
|
SystemCallFilter=@system-service
|
||||||
Type=notify
|
Type=notify
|
||||||
RestartKillSignal=SIGUSR2
|
|
||||||
User=systemd-network
|
User=systemd-network
|
||||||
@SERVICE_WATCHDOG@
|
@SERVICE_WATCHDOG@
|
||||||
|
|
||||||
|
@ -28,12 +28,13 @@ MemoryDenyWriteExecute=yes
|
|||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectClock=yes
|
ProtectClock=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
ProtectKernelLogs=yes
|
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
|
@ -22,12 +22,13 @@ LockPersonality=yes
|
|||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
ProtectKernelLogs=yes
|
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
ReadWritePaths=/etc
|
ReadWritePaths=/etc
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
|
@ -27,12 +27,13 @@ MemoryDenyWriteExecute=yes
|
|||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
|
ProtectKernelLogs=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
ProtectKernelTunables=yes
|
ProtectKernelTunables=yes
|
||||||
ProtectKernelLogs=yes
|
|
||||||
ProtectSystem=strict
|
ProtectSystem=strict
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
|
@ -24,6 +24,7 @@ LockPersonality=yes
|
|||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
|
ProtectProc=invisible
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
|
Loading…
Reference in New Issue
Block a user