shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-05 13:18:06 +03:00
Code

units: enable ProtectHostname=yes

Browse Source
This commit is contained in:
Topi Miettinen 2019-02-19 00:30:12 +02:00
parent aecd5ac621
commit 99894b867f
16 changed files with 16 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
units/systemd-coredump@.service.in
View File

@ -29,6 +29,7 @@ PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectSystem=strict ProtectSystem=strict

1
units/systemd-hostnamed.service.in
View File

@ -25,6 +25,7 @@ PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectSystem=strict ProtectSystem=strict

1
units/systemd-importd.service.in
View File

@ -20,6 +20,7 @@ KillMode=mixed
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP CAP_DAC_OVERRIDE
NoNewPrivileges=yes NoNewPrivileges=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
ProtectHostname=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictNamespaces=net RestrictNamespaces=net
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

1
units/systemd-journal-gatewayd.service.in
View File

@ -22,6 +22,7 @@ PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

1
units/systemd-journal-remote.service.in
View File

@ -23,6 +23,7 @@ PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectSystem=strict ProtectSystem=strict

1
units/systemd-journal-upload.service.in
View File

@ -22,6 +22,7 @@ NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

1
units/systemd-journald.service.in
View File

@ -23,6 +23,7 @@ IPAddressDeny=any
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
ProtectHostname=yes
Restart=always Restart=always
RestartSec=0 RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK RestrictAddressFamilies=AF_UNIX AF_NETLINK

1
units/systemd-localed.service.in
View File

@ -25,6 +25,7 @@ PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectSystem=strict ProtectSystem=strict

1
units/systemd-logind.service.in
View File

@ -28,6 +28,7 @@ IPAddressDeny=any
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
ProtectHostname=yes
Restart=always Restart=always
RestartSec=0 RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK RestrictAddressFamilies=AF_UNIX AF_NETLINK

1
units/systemd-machined.service.in
View File

@ -23,6 +23,7 @@ IPAddressDeny=any
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
ProtectHostname=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
RestrictRealtime=yes RestrictRealtime=yes
SystemCallArchitectures=native SystemCallArchitectures=native

1
units/systemd-networkd.service.in
View File

@ -27,6 +27,7 @@ MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectSystem=strict ProtectSystem=strict
Restart=on-failure Restart=on-failure

1
units/systemd-portabled.service.in
View File

@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1
WatchdogSec=3min WatchdogSec=3min
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
ProtectHostname=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
SystemCallFilter=@system-service @mount SystemCallFilter=@system-service @mount

1
units/systemd-resolved.service.in
View File

@ -30,6 +30,7 @@ PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectSystem=strict ProtectSystem=strict

1
units/systemd-timedated.service.in
View File

@ -23,6 +23,7 @@ NoNewPrivileges=yes
PrivateTmp=yes PrivateTmp=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectSystem=strict ProtectSystem=strict

1
units/systemd-timesyncd.service.in
View File

@ -29,6 +29,7 @@ PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectSystem=strict ProtectSystem=strict

1
units/systemd-udevd.service.in
View File

@ -26,6 +26,7 @@ KillMode=mixed
WatchdogSec=3min WatchdogSec=3min
TasksMax=infinity TasksMax=infinity
PrivateMounts=yes PrivateMounts=yes
ProtectHostname=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6