shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-03 05:18:09 +03:00
Code

units: set ProtectKernelLogs=yes on relevant units

Browse Source 
We set ProtectKernelLogs=yes on all long running services except for
udevd, since it accesses /dev/kmsg, and journald, since it calls syslog
and accesses /dev/kmsg.
This commit is contained in:
Kevin Kuehler 2019-11-13 16:56:23 -08:00
parent 806aea3879
commit 6168ae5840
13 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
units/systemd-coredump@.service.in
View File

@ -32,6 +32,7 @@ ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes

1
units/systemd-hostnamed.service.in
View File

@ -27,6 +27,7 @@ ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX

1
units/systemd-journal-gatewayd.service.in
View File

@ -24,6 +24,7 @@ ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes

1
units/systemd-journal-remote.service.in
View File

@ -26,6 +26,7 @@ ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes

1
units/systemd-journal-upload.service.in
View File

@ -24,6 +24,7 @@ ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes

1
units/systemd-localed.service.in
View File

@ -28,6 +28,7 @@ ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX

1
units/systemd-logind.service.in
View File

@ -41,6 +41,7 @@ ProtectControlGroups=yes
ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc /run
Restart=always

1
units/systemd-machined.service.in
View File

@ -24,6 +24,7 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
ProtectHostname=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes
SystemCallArchitectures=native

1
units/systemd-networkd.service.in
View File

@ -29,6 +29,7 @@ NoNewPrivileges=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectSystem=strict
Restart=on-failure
RestartSec=0

1
units/systemd-portabled.service.in
View File

@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
MemoryDenyWriteExecute=yes
ProtectHostname=yes
ProtectKernelLogs=yes
RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=@system-service @mount

1
units/systemd-resolved.service.in
View File

@ -32,6 +32,7 @@ ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
Restart=always
RestartSec=0

1
units/systemd-timedated.service.in
View File

@ -27,6 +27,7 @@ ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX

1
units/systemd-timesyncd.service.in
View File

@ -32,6 +32,7 @@ ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict
Restart=always
RestartSec=0