From 6489ccfe48bb21a43694b60173a49d140b4fb91f Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 9 Feb 2017 11:22:08 +0100 Subject: [PATCH] units: make use of @reboot and @swap in our long-running service SystemCallFilter= settings Tighten security up a bit more. --- units/systemd-hostnamed.service.in | 2 +- units/systemd-importd.service.in | 2 +- units/systemd-journald.service.in | 2 +- units/systemd-localed.service.in | 2 +- units/systemd-logind.service.in | 2 +- units/systemd-machined.service.in | 2 +- units/systemd-networkd.service.m4.in | 2 +- units/systemd-resolved.service.m4.in | 2 +- units/systemd-timedated.service.in | 2 +- units/systemd-timesyncd.service.in | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 85410adc72b..01a8ec9f573 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -27,6 +27,6 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/etc diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index de2431739ff..75585d5dbcc 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -21,5 +21,5 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=net RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index adabedd977b..64253f59d4c 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -28,7 +28,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index a41e30bfdf5..f76012a34c8 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -27,6 +27,6 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/etc diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 93abeb3dca0..e20a3ad0576 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -29,7 +29,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 3c46d04f64e..0b0bbf272cd 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -20,7 +20,7 @@ CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_C MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native # Note that machined cannot be placed in a mount namespace, since it diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in index d33deb97b63..c3f153046a8 100644 --- a/units/systemd-networkd.service.m4.in +++ b/units/systemd-networkd.service.m4.in @@ -35,7 +35,7 @@ ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/run/systemd diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in index 08f0a85aea3..820e299168c 100644 --- a/units/systemd-resolved.service.m4.in +++ b/units/systemd-resolved.service.m4.in @@ -35,7 +35,7 @@ ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 -SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/run/systemd diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 2881e122dc9..f691f475172 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -25,6 +25,6 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX -SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/etc diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index ab48a7aa302..8d328bb80a4 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -35,7 +35,7 @@ MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io +SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native ReadWritePaths=/var/lib/systemd