mirror of
https://github.com/systemd/systemd.git
synced 2024-11-01 09:21:26 +03:00
Merge pull request #3498 from poettering/syscall-filter-fixes
Syscall filter fixes, tighter nspawn seccomp sandbox by default
This commit is contained in:
Lennart Poettering
GitHub
commit
9ea8e2ce85
4
TODO
4
TODO
@ -47,6 +47,10 @@ Features:
|
||||
|
||||
* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone)
|
||||
|
||||
* RestrictRealtime= which takes aware ability to create realtime processes
|
||||
|
||||
* nspawn: make /proc/sys/net writable?
|
||||
|
||||
* make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things
|
||||
|
||||
* journalctl: make sure -f ends when the container indicated by -M terminates
|
||||
|
||||
@ -1218,49 +1218,55 @@
|
||||
<tbody>
|
||||
<row>
|
||||
<entry>@clock</entry>
|
||||
<entry>System calls for changing the system clock (<function>adjtimex()</function>,
|
||||
<function>settimeofday()</function>)</entry>
|
||||
<entry>System calls for changing the system clock (<citerefentry project='man-pages'><refentrytitle>adjtimex</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>settimeofday</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@cpu-emulation</entry>
|
||||
<entry>System calls for CPU emulation functionality (<citerefentry project='man-pages'><refentrytitle>vm86</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@debug</entry>
|
||||
<entry>Debugging, performance monitoring and tracing functionality (<citerefentry project='man-pages'><refentrytitle>ptrace</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>perf_event_open</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@io-event</entry>
|
||||
<entry>Event loop use (<function>poll()</function>, <function>select()</function>,
|
||||
<citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
||||
<function>eventfd()</function>...)</entry>
|
||||
<entry>Event loop system calls (<citerefentry project='man-pages'><refentrytitle>poll</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>select</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>epoll</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>eventfd</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@ipc</entry>
|
||||
<entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
||||
<citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
<entry>SysV IPC, POSIX Message Queues or other IPC (<citerefentry project='man-pages'><refentrytitle>mq_overview</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>svipc</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@keyring</entry>
|
||||
<entry>Kernel keyring access (<citerefentry project='man-pages'><refentrytitle>keyctl</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@module</entry>
|
||||
<entry>Kernel module control (<function>create_module()</function>, <function>init_module()</function>...)</entry>
|
||||
<entry>Kernel module control (<citerefentry project='man-pages'><refentrytitle>init_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>delete_module</refentrytitle><manvolnum>2</manvolnum></citerefentry> and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@mount</entry>
|
||||
<entry>File system mounting and unmounting (<function>chroot()</function>, <function>mount()</function>...)</entry>
|
||||
<entry>File system mounting and unmounting (<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>chroot</refentrytitle><manvolnum>2</manvolnum></citerefentry>, and related calls)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@network-io</entry>
|
||||
<entry>Socket I/O (including local AF_UNIX):
|
||||
<citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
|
||||
<citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
|
||||
<entry>Socket I/O (including local AF_UNIX): <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>7</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>unix</refentrytitle><manvolnum>7</manvolnum></citerefentry></entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@obsolete</entry>
|
||||
<entry>Unusual, obsolete or unimplemented (<function>fattach()</function>, <function>gtty()</function>, <function>vm86()</function>...)</entry>
|
||||
<entry>Unusual, obsolete or unimplemented (<citerefentry project='man-pages'><refentrytitle>create_module</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>gtty</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@privileged</entry>
|
||||
<entry>All system calls which need superuser capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
<entry>All system calls which need super-user capabilities (<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>)</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@process</entry>
|
||||
<entry>Process control, execution, namespaces (<function>execve()</function>, <function>kill()</function>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>...)</entry>
|
||||
<entry>Process control, execution, namespaces (<citerefentry project='man-pages'><refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>kill</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>, …</entry>
|
||||
</row>
|
||||
<row>
|
||||
<entry>@raw-io</entry>
|
||||
<entry>Raw I/O ports (<function>ioperm()</function>, <function>iopl()</function>, <function>pciconfig_read()</function>...)</entry>
|
||||
<entry>Raw I/O port access (<citerefentry project='man-pages'><refentrytitle>ioperm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>iopl</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <function>pciconfig_read()</function>, …</entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
|
||||
@ -44,20 +44,76 @@ static int seccomp_add_default_syscall_filter(scmp_filter_ctx ctx,
|
||||
uint64_t capability;
|
||||
int syscall_num;
|
||||
} blacklist[] = {
|
||||
{ CAP_SYS_RAWIO, SCMP_SYS(iopl) },
|
||||
{ CAP_SYS_RAWIO, SCMP_SYS(ioperm) },
|
||||
{ CAP_SYS_BOOT, SCMP_SYS(kexec_load) },
|
||||
{ CAP_SYS_ADMIN, SCMP_SYS(swapon) },
|
||||
{ CAP_SYS_ADMIN, SCMP_SYS(swapoff) },
|
||||
{ CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at) },
|
||||
{ CAP_SYS_MODULE, SCMP_SYS(init_module) },
|
||||
{ CAP_SYS_MODULE, SCMP_SYS(finit_module) },
|
||||
{ CAP_SYS_MODULE, SCMP_SYS(delete_module) },
|
||||
{ CAP_SYSLOG, SCMP_SYS(syslog) },
|
||||
{ 0, SCMP_SYS(_sysctl) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(add_key) }, /* keyring is not namespaced */
|
||||
{ 0, SCMP_SYS(afs_syscall) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(bdflush) },
|
||||
#ifdef __NR_bpf
|
||||
{ 0, SCMP_SYS(bpf) },
|
||||
#endif
|
||||
{ 0, SCMP_SYS(break) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(create_module) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(ftime) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(get_kernel_syms) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(getpmsg) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(gtty) }, /* obsolete syscall */
|
||||
#ifdef __NR_kexec_file_load
|
||||
{ 0, SCMP_SYS(kexec_file_load) },
|
||||
#endif
|
||||
{ 0, SCMP_SYS(kexec_load) },
|
||||
{ 0, SCMP_SYS(keyctl) }, /* keyring is not namespaced */
|
||||
{ 0, SCMP_SYS(lock) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(lookup_dcookie) },
|
||||
{ 0, SCMP_SYS(mpx) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(nfsservctl) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(open_by_handle_at) },
|
||||
{ 0, SCMP_SYS(perf_event_open) },
|
||||
{ 0, SCMP_SYS(prof) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(profil) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(putpmsg) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(query_module) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(quotactl) },
|
||||
{ 0, SCMP_SYS(request_key) }, /* keyring is not namespaced */
|
||||
{ 0, SCMP_SYS(security) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(sgetmask) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(ssetmask) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(stty) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(swapoff) },
|
||||
{ 0, SCMP_SYS(swapon) },
|
||||
{ 0, SCMP_SYS(sysfs) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(tuxcall) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(ulimit) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(uselib) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(ustat) }, /* obsolete syscall */
|
||||
{ 0, SCMP_SYS(vserver) }, /* obsolete syscall */
|
||||
{ CAP_SYSLOG, SCMP_SYS(syslog) },
|
||||
{ CAP_SYS_MODULE, SCMP_SYS(delete_module) },
|
||||
{ CAP_SYS_MODULE, SCMP_SYS(finit_module) },
|
||||
{ CAP_SYS_MODULE, SCMP_SYS(init_module) },
|
||||
{ CAP_SYS_PACCT, SCMP_SYS(acct) },
|
||||
{ CAP_SYS_PTRACE, SCMP_SYS(process_vm_readv) },
|
||||
{ CAP_SYS_PTRACE, SCMP_SYS(process_vm_writev) },
|
||||
{ CAP_SYS_PTRACE, SCMP_SYS(ptrace) },
|
||||
{ CAP_SYS_RAWIO, SCMP_SYS(ioperm) },
|
||||
{ CAP_SYS_RAWIO, SCMP_SYS(iopl) },
|
||||
{ CAP_SYS_RAWIO, SCMP_SYS(pciconfig_iobase) },
|
||||
{ CAP_SYS_RAWIO, SCMP_SYS(pciconfig_read) },
|
||||
{ CAP_SYS_RAWIO, SCMP_SYS(pciconfig_write) },
|
||||
#ifdef __NR_s390_pci_mmio_read
|
||||
{ CAP_SYS_RAWIO, SCMP_SYS(s390_pci_mmio_read) },
|
||||
#endif
|
||||
#ifdef __NR_s390_pci_mmio_write
|
||||
{ CAP_SYS_RAWIO, SCMP_SYS(s390_pci_mmio_write) },
|
||||
#endif
|
||||
{ CAP_SYS_TIME, SCMP_SYS(adjtimex) },
|
||||
{ CAP_SYS_TIME, SCMP_SYS(clock_adjtime) },
|
||||
{ CAP_SYS_TIME, SCMP_SYS(clock_settime) },
|
||||
{ CAP_SYS_TIME, SCMP_SYS(settimeofday) },
|
||||
{ CAP_SYS_TIME, SCMP_SYS(stime) },
|
||||
};
|
||||
|
||||
for (i = 0; i < ELEMENTSOF(blacklist); i++) {
|
||||
if (cap_list_retain & (1ULL << blacklist[i].capability))
|
||||
if (blacklist[i].capability != 0 && (cap_list_retain & (1ULL << blacklist[i].capability)))
|
||||
continue;
|
||||
|
||||
r = seccomp_rule_add(ctx, SCMP_ACT_ERRNO(EPERM), blacklist[i].syscall_num, 0);
|
||||
|
||||
@ -137,6 +137,8 @@ static bool arg_ephemeral = false;
|
||||
static LinkJournal arg_link_journal = LINK_AUTO;
|
||||
static bool arg_link_journal_try = false;
|
||||
static uint64_t arg_caps_retain =
|
||||
(1ULL << CAP_AUDIT_CONTROL) |
|
||||
(1ULL << CAP_AUDIT_WRITE) |
|
||||
(1ULL << CAP_CHOWN) |
|
||||
(1ULL << CAP_DAC_OVERRIDE) |
|
||||
(1ULL << CAP_DAC_READ_SEARCH) |
|
||||
@ -146,23 +148,21 @@ static uint64_t arg_caps_retain =
|
||||
(1ULL << CAP_KILL) |
|
||||
(1ULL << CAP_LEASE) |
|
||||
(1ULL << CAP_LINUX_IMMUTABLE) |
|
||||
(1ULL << CAP_MKNOD) |
|
||||
(1ULL << CAP_NET_BIND_SERVICE) |
|
||||
(1ULL << CAP_NET_BROADCAST) |
|
||||
(1ULL << CAP_NET_RAW) |
|
||||
(1ULL << CAP_SETGID) |
|
||||
(1ULL << CAP_SETFCAP) |
|
||||
(1ULL << CAP_SETGID) |
|
||||
(1ULL << CAP_SETPCAP) |
|
||||
(1ULL << CAP_SETUID) |
|
||||
(1ULL << CAP_SYS_ADMIN) |
|
||||
(1ULL << CAP_SYS_BOOT) |
|
||||
(1ULL << CAP_SYS_CHROOT) |
|
||||
(1ULL << CAP_SYS_NICE) |
|
||||
(1ULL << CAP_SYS_PTRACE) |
|
||||
(1ULL << CAP_SYS_TTY_CONFIG) |
|
||||
(1ULL << CAP_SYS_RESOURCE) |
|
||||
(1ULL << CAP_SYS_BOOT) |
|
||||
(1ULL << CAP_AUDIT_WRITE) |
|
||||
(1ULL << CAP_AUDIT_CONTROL) |
|
||||
(1ULL << CAP_MKNOD);
|
||||
(1ULL << CAP_SYS_TTY_CONFIG);
|
||||
static CustomMount *arg_custom_mounts = NULL;
|
||||
static unsigned arg_n_custom_mounts = 0;
|
||||
static char **arg_setenv = NULL;
|
||||
|
||||
@ -95,7 +95,31 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
.set_name = "@clock",
|
||||
.value =
|
||||
"adjtimex\0"
|
||||
"clock_adjtime\0"
|
||||
"clock_settime\0"
|
||||
"settimeofday\0"
|
||||
"stime\0"
|
||||
}, {
|
||||
/* CPU emulation calls */
|
||||
.set_name = "@cpu-emulation",
|
||||
.value =
|
||||
"modify_ldt\0"
|
||||
"subpage_prot\0"
|
||||
"switch_endian\0"
|
||||
"vm86\0"
|
||||
"vm86old\0"
|
||||
}, {
|
||||
/* Debugging/Performance Monitoring/Tracing */
|
||||
.set_name = "@debug",
|
||||
.value =
|
||||
"lookup_dcookie\0"
|
||||
"perf_event_open\0"
|
||||
"process_vm_readv\0"
|
||||
"process_vm_writev\0"
|
||||
"ptrace\0"
|
||||
"rtas\0"
|
||||
"s390_runtime_instr\0"
|
||||
"sys_debug_setcontext\0"
|
||||
}, {
|
||||
/* Default list */
|
||||
.set_name = "@default",
|
||||
@ -147,11 +171,17 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
"shmctl\0"
|
||||
"shmdt\0"
|
||||
"shmget\0"
|
||||
}, {
|
||||
/* Keyring */
|
||||
.set_name = "@keyring",
|
||||
.value =
|
||||
"add_key\0"
|
||||
"keyctl\0"
|
||||
"request_key\0"
|
||||
}, {
|
||||
/* Kernel module control */
|
||||
.set_name = "@module",
|
||||
.value =
|
||||
"create_module\0"
|
||||
"delete_module\0"
|
||||
"finit_module\0"
|
||||
"init_module\0"
|
||||
@ -197,40 +227,26 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
"_sysctl\0"
|
||||
"afs_syscall\0"
|
||||
"break\0"
|
||||
"fattach\0"
|
||||
"fdetach\0"
|
||||
"create_module\0"
|
||||
"ftime\0"
|
||||
"get_kernel_syms\0"
|
||||
"get_mempolicy\0"
|
||||
"getmsg\0"
|
||||
"getpmsg\0"
|
||||
"gtty\0"
|
||||
"isastream\0"
|
||||
"lock\0"
|
||||
"madvise1\0"
|
||||
"modify_ldt\0"
|
||||
"mpx\0"
|
||||
"pciconfig_iobase\0"
|
||||
"perf_event_open\0"
|
||||
"prof\0"
|
||||
"profil\0"
|
||||
"putmsg\0"
|
||||
"putpmsg\0"
|
||||
"query_module\0"
|
||||
"rtas\0"
|
||||
"s390_runtime_instr\0"
|
||||
"security\0"
|
||||
"sgetmask\0"
|
||||
"ssetmask\0"
|
||||
"stty\0"
|
||||
"subpage_prot\0"
|
||||
"switch_endian\0"
|
||||
"sys_debug_setcontext\0"
|
||||
"sysfs\0"
|
||||
"tuxcall\0"
|
||||
"ulimit\0"
|
||||
"uselib\0"
|
||||
"vm86\0"
|
||||
"vm86old\0"
|
||||
"ustat\0"
|
||||
"vserver\0"
|
||||
}, {
|
||||
/* Nice grab-bag of all system calls which need superuser capabilities */
|
||||
@ -242,6 +258,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
"acct\0"
|
||||
"bdflush\0"
|
||||
"bpf\0"
|
||||
"capset\0"
|
||||
"chown32\0"
|
||||
"chown\0"
|
||||
"chroot\0"
|
||||
@ -268,7 +285,6 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
"setreuid\0"
|
||||
"setuid32\0"
|
||||
"setuid\0"
|
||||
"stime\0"
|
||||
"swapoff\0"
|
||||
"swapon\0"
|
||||
"sysctl\0"
|
||||
@ -295,6 +311,7 @@ const SystemCallFilterSet syscall_filter_sets[] = {
|
||||
.value =
|
||||
"ioperm\0"
|
||||
"iopl\0"
|
||||
"pciconfig_iobase\0"
|
||||
"pciconfig_read\0"
|
||||
"pciconfig_write\0"
|
||||
"s390_pci_mmio_read\0"
|
||||
|
||||
@ -21,4 +21,4 @@ PrivateNetwork=yes
|
||||
ProtectSystem=yes
|
||||
ProtectHome=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
|
||||
@ -18,4 +18,4 @@ NoNewPrivileges=yes
|
||||
WatchdogSec=3min
|
||||
KillMode=mixed
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
|
||||
@ -25,7 +25,7 @@ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG C
|
||||
WatchdogSec=3min
|
||||
FileDescriptorStoreMax=1024
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
|
||||
# Increase the default a bit in order to allow many simultaneous
|
||||
# services being run since we keep one fd open per service. Also, when
|
||||
|
||||
@ -21,4 +21,4 @@ PrivateNetwork=yes
|
||||
ProtectSystem=yes
|
||||
ProtectHome=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@clock @module @mount @obsolete @privileged @raw-io ptrace
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
|
||||
@ -26,7 +26,7 @@ BusName=org.freedesktop.login1
|
||||
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
|
||||
WatchdogSec=3min
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
|
||||
|
||||
# Increase the default a bit in order to allow many simultaneous
|
||||
# logins since we keep one fd open per session.
|
||||
|
||||
@ -18,7 +18,7 @@ BusName=org.freedesktop.machine1
|
||||
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD
|
||||
WatchdogSec=3min
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
|
||||
# Note that machined cannot be placed in a mount namespace, since it
|
||||
# needs access to the host's mount namespace in order to implement the
|
||||
|
||||
@ -32,7 +32,7 @@ ProtectSystem=full
|
||||
ProtectHome=yes
|
||||
WatchdogSec=3min
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
@ -28,7 +28,7 @@ ProtectSystem=full
|
||||
ProtectHome=yes
|
||||
WatchdogSec=3min
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
||||
@ -19,4 +19,4 @@ PrivateTmp=yes
|
||||
ProtectSystem=yes
|
||||
ProtectHome=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@module @mount @obsolete @raw-io ptrace
|
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
|
||||
@ -29,7 +29,7 @@ ProtectSystem=full
|
||||
ProtectHome=yes
|
||||
WatchdogSec=3min
|
||||
MemoryDenyWriteExecute=yes
|
||||
SystemCallFilter=~@module @mount @obsolete @raw-io ptrace
|
||||
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
||||
|
||||
Loading…
Reference in New Issue
Block a user