mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager
synced 2024-10-01 13:55:36 +00:00
cloud-setup: more sandboxing in service file
Note that some of those sandboxing options may require relatively recent systemd. In that case, to run against older systemd, you will need to patch the service file. I don't think there is a way around that, and limiting outselves to only the oldest supported option is harmful for users who run recent systemd. See-also: https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
This commit is contained in:
parent
b4340fd9a2
commit
6fb4af7300
1
NEWS
1
NEWS
|
@ -22,6 +22,7 @@ Overview of changes since NetworkManager-1.44
|
|||
* Limit number of exported IP addresses/routes on D-Bus to 100 to reduce
|
||||
performance cost. Also, D-Bus updates for addresses/routes are now rate
|
||||
limited to 3 per second.
|
||||
* cloud-setup: enable more sandboxing options in systemd service file.
|
||||
|
||||
=============================================
|
||||
NetworkManager-1.44
|
||||
|
|
|
@ -22,22 +22,30 @@ ExecStart=@libexecdir@/nm-cloud-setup
|
|||
#Environment=NM_CLOUD_SETUP_ALIYUN=yes
|
||||
|
||||
CapabilityBoundingSet=
|
||||
KeyringMode=private
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
PrivateUsers=yes
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
SystemCallArchitectures=native
|
||||
|
||||
DevicePolicy=closed
|
||||
PrivateNetwork=no
|
||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||
SystemCallFilter=@system-service
|
||||
|
||||
[Install]
|
||||
|
|
Loading…
Reference in a new issue