mirror of
https://github.com/systemd/systemd.git
synced 2024-10-30 14:55:37 +03:00
2aba77057e
Before this patch the only way to prevent journald from reading the audit messages was to mask systemd-journald-audit.socket. However this had main drawback that downstream couldn't ship the socket disabled by default (beside the fact that masking units is not supposed to be the usual way to disable them). Fixes #15777
60 lines
2.2 KiB
SYSTEMD
60 lines
2.2 KiB
SYSTEMD
# SPDX-License-Identifier: LGPL-2.1-or-later
|
|
#
|
|
# This file is part of systemd.
|
|
#
|
|
# systemd is free software; you can redistribute it and/or modify it
|
|
# under the terms of the GNU Lesser General Public License as published by
|
|
# the Free Software Foundation; either version 2.1 of the License, or
|
|
# (at your option) any later version.
|
|
|
|
[Unit]
|
|
Description=Journal Service
|
|
Documentation=man:systemd-journald.service(8) man:journald.conf(5)
|
|
DefaultDependencies=no
|
|
Requires=systemd-journald.socket
|
|
After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket
|
|
Before=sysinit.target
|
|
|
|
# Mount and swap units need the journal socket units. If they were removed by
|
|
# an isolate request the mount and swap units would be removed too, hence let's
|
|
# exclude systemd-journald and its sockets from isolate requests.
|
|
IgnoreOnIsolate=yes
|
|
|
|
[Service]
|
|
DeviceAllow=char-* rw
|
|
ExecStart={{ROOTLIBEXECDIR}}/systemd-journald
|
|
FileDescriptorStoreMax=4224
|
|
IPAddressDeny=any
|
|
LockPersonality=yes
|
|
MemoryDenyWriteExecute=yes
|
|
NoNewPrivileges=yes
|
|
OOMScoreAdjust=-250
|
|
ProtectClock=yes
|
|
Restart=always
|
|
RestartSec=0
|
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
RuntimeDirectory=systemd/journal
|
|
RuntimeDirectoryPreserve=yes
|
|
# Audit socket is not listed here because this unit can be turned off. However
|
|
# the link between the socket and the service units is still created thanks to
|
|
# the 'Service=' setting specified in the socket unit.
|
|
Sockets=systemd-journald.socket systemd-journald-dev-log.socket
|
|
StandardOutput=null
|
|
SystemCallArchitectures=native
|
|
SystemCallErrorNumber=EPERM
|
|
SystemCallFilter=@system-service
|
|
Type=notify
|
|
{{SERVICE_WATCHDOG}}
|
|
|
|
# In case you're wondering why CAP_SYS_PTRACE is needed, access to
|
|
# /proc/<pid>/exe requires this capability. Thus if this capability is missing
|
|
# the _EXE=/OBJECT_EXE= fields will be missing from the journal entries.
|
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
|
|
|
|
# If there are many split up journal files we need a lot of fds to access them
|
|
# all in parallel.
|
|
LimitNOFILE={{HIGH_RLIMIT_NOFILE}}
|