1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

units: lock down coredump service a bit

Dissecting a coredump is possibly risky and might take a while, hence
lock down the unit as much as we can.
This commit is contained in:
Lennart Poettering 2017-02-09 11:17:45 +01:00
parent b6c7278c38
commit 924453c225

View File

@ -19,9 +19,19 @@ Before=shutdown.target
ExecStart=-@rootlibexecdir@/systemd-coredump
Nice=9
OOMScoreAdjust=500
RuntimeMaxSec=5min
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=strict
RuntimeMaxSec=5min
ProtectHome=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
SystemCallArchitectures=native
ReadWritePaths=/var/lib/systemd/coredump
ProtectKernelModules=yes