shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-05 13:18:06 +03:00
Code

units: turn on ProtectKernelModules= for most long-running services

Browse Source
This commit is contained in:
Lennart Poettering 2017-02-09 11:09:50 +01:00
parent c7fb922d62
commit b6c7278c38
10 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
units/systemd-coredump@.service.in
View File

@ -24,3 +24,4 @@ ProtectSystem=strict
RuntimeMaxSec=5min RuntimeMaxSec=5min
SystemCallArchitectures=native SystemCallArchitectures=native
ReadWritePaths=/var/lib/systemd/coredump ReadWritePaths=/var/lib/systemd/coredump
ProtectKernelModules=yes

1
units/systemd-hostnamed.service.in
View File

@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictNamespaces=yes RestrictNamespaces=yes

1
units/systemd-journal-gatewayd.service.in
View File

@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictNamespaces=yes RestrictNamespaces=yes

1
units/systemd-journal-remote.service.in
View File

@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictNamespaces=yes RestrictNamespaces=yes

1
units/systemd-journal-upload.service.in
View File

@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictNamespaces=yes RestrictNamespaces=yes

1
units/systemd-localed.service.in
View File

@ -22,6 +22,7 @@ ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictNamespaces=yes RestrictNamespaces=yes

1
units/systemd-networkd.service.m4.in
View File

@ -31,6 +31,7 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
ProtectSystem=strict ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET

1
units/systemd-resolved.service.m4.in
View File

@ -31,6 +31,7 @@ ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6

1
units/systemd-timedated.service.in
View File

@ -20,6 +20,7 @@ ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictNamespaces=yes RestrictNamespaces=yes

1
units/systemd-timesyncd.service.in
View File

@ -30,6 +30,7 @@ ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes RestrictRealtime=yes
RestrictNamespaces=yes RestrictNamespaces=yes