units: make use of PrivateTmp=yes and PrivateDevices=yes for all our long-running daemons

2025-01-03 05:18:09 +03:00 · 2014-03-19 16:45:28 +01:00 · 2014-03-19 16:45:28 +01:00 · d99a705296
commit d99a705296
parent 7973ca1927
6 changed files with 11 additions and 0 deletions
--- a/units/systemd-bus-driverd.service.in
+++ b/units/systemd-bus-driverd.service.in
@ -13,3 +13,5 @@ ExecStart=@rootlibexecdir@/systemd-bus-driverd
 BusName=org.freedesktop.DBus
 WatchdogSec=1min
 CapabilityBoundingSet=CAP_IPC_OWNER
+PrivateTmp=yes
+PrivateDevices=yes
--- a/units/systemd-bus-proxyd@.service.in
+++ b/units/systemd-bus-proxyd@.service.in
@ -15,3 +15,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
 ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main
 CapabilityBoundingSet=CAP_IPC_OWNER
+PrivateTmp=yes
+PrivateDevices=yes
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@ -15,3 +15,5 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
 BusName=org.freedesktop.hostname1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE
 WatchdogSec=1min
+PrivateTmp=yes
+PrivateDevices=yes
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@ -15,3 +15,5 @@ ExecStart=@rootlibexecdir@/systemd-localed
 BusName=org.freedesktop.locale1
 CapabilityBoundingSet=
 WatchdogSec=1min
+PrivateTmp=yes
+PrivateDevices=yes
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@ -17,3 +17,5 @@ ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL
 WatchdogSec=1min
+PrivateTmp=yes
+PrivateDevices=yes
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@ -15,3 +15,4 @@ ExecStart=@rootlibexecdir@/systemd-timedated
 BusName=org.freedesktop.timedate1
 CapabilityBoundingSet=CAP_SYS_TIME
 WatchdogSec=1min
+PrivateTmp=yes