From b6c7278c38b5c240d8435ab6293838ee5de827cb Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Thu, 9 Feb 2017 11:09:50 +0100 Subject: [PATCH] units: turn on ProtectKernelModules= for most long-running services --- units/systemd-coredump@.service.in | 1 + units/systemd-hostnamed.service.in | 1 + units/systemd-journal-gatewayd.service.in | 1 + units/systemd-journal-remote.service.in | 1 + units/systemd-journal-upload.service.in | 1 + units/systemd-localed.service.in | 1 + units/systemd-networkd.service.m4.in | 1 + units/systemd-resolved.service.m4.in | 1 + units/systemd-timedated.service.in | 1 + units/systemd-timesyncd.service.in | 1 + 10 files changed, 10 insertions(+) diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 760769191c2..f12b28d6a6b 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -24,3 +24,4 @@ ProtectSystem=strict RuntimeMaxSec=5min SystemCallArchitectures=native ReadWritePaths=/var/lib/systemd/coredump +ProtectKernelModules=yes diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 6904785e451..85410adc72b 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -22,6 +22,7 @@ ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes +ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index ecc5b56c9c7..99099967e73 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -22,6 +22,7 @@ ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes +ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 323e308871e..5404bf1c035 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -22,6 +22,7 @@ ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes +ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index d7e0b290e92..b9eab215428 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -22,6 +22,7 @@ ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes +ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index d6441d9f5fa..a41e30bfdf5 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -22,6 +22,7 @@ ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes +ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in index 153ddeb3236..d33deb97b63 100644 --- a/units/systemd-networkd.service.m4.in +++ b/units/systemd-networkd.service.m4.in @@ -31,6 +31,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes +ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in index dfd2f4ad0aa..08f0a85aea3 100644 --- a/units/systemd-resolved.service.m4.in +++ b/units/systemd-resolved.service.m4.in @@ -31,6 +31,7 @@ ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes +ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 336a2312908..2881e122dc9 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -20,6 +20,7 @@ ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes +ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 41d41806c1f..ab48a7aa302 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -30,6 +30,7 @@ ProtectSystem=strict ProtectHome=yes ProtectControlGroups=yes ProtectKernelTunables=yes +ProtectKernelModules=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictNamespaces=yes