From 6168ae5840bf206b1d1f88d5173fb292230f56a8 Mon Sep 17 00:00:00 2001 From: Kevin Kuehler Date: Wed, 13 Nov 2019 16:56:23 -0800 Subject: [PATCH] units: set ProtectKernelLogs=yes on relevant units We set ProtectKernelLogs=yes on all long running services except for udevd, since it accesses /dev/kmsg, and journald, since it calls syslog and accesses /dev/kmsg. --- units/systemd-coredump@.service.in | 1 + units/systemd-hostnamed.service.in | 1 + units/systemd-journal-gatewayd.service.in | 1 + units/systemd-journal-remote.service.in | 1 + units/systemd-journal-upload.service.in | 1 + units/systemd-localed.service.in | 1 + units/systemd-logind.service.in | 1 + units/systemd-machined.service.in | 1 + units/systemd-networkd.service.in | 1 + units/systemd-portabled.service.in | 1 + units/systemd-resolved.service.in | 1 + units/systemd-timedated.service.in | 1 + units/systemd-timesyncd.service.in | 1 + 13 files changed, 13 insertions(+) diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index afb2ab9d173..951faa62a16 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -32,6 +32,7 @@ ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectKernelLogs=yes ProtectSystem=strict RestrictAddressFamilies=AF_UNIX RestrictNamespaces=yes diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 1fbbafdd6f0..1365d749ca4 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -27,6 +27,7 @@ ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index 50f774512b8..8071395e680 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -24,6 +24,7 @@ ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectKernelLogs=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 7f5238802ff..6181d15d777 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -26,6 +26,7 @@ ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectKernelLogs=yes ProtectSystem=strict RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in index 33ef3b8dcad..2f1cce85187 100644 --- a/units/systemd-journal-upload.service.in +++ b/units/systemd-journal-upload.service.in @@ -24,6 +24,7 @@ ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectKernelLogs=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index f9a81fa8ddd..10ecff5184a 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -28,6 +28,7 @@ ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index ef802a4e6f3..ccbe6315860 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -41,6 +41,7 @@ ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes +ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc /run Restart=always diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 3db0281f81d..fa344d487da 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -24,6 +24,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes ProtectHostname=yes +ProtectKernelLogs=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes SystemCallArchitectures=native diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index ed985f64fa5..01931665a49 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -29,6 +29,7 @@ NoNewPrivileges=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes +ProtectKernelLogs=yes ProtectSystem=strict Restart=on-failure RestartSec=0 diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in index fb79f454fd9..3051fbd3d07 100644 --- a/units/systemd-portabled.service.in +++ b/units/systemd-portabled.service.in @@ -18,6 +18,7 @@ BusName=org.freedesktop.portable1 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD MemoryDenyWriteExecute=yes ProtectHostname=yes +ProtectKernelLogs=yes RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=@system-service @mount diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 22cb2023637..f73697832cc 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -32,6 +32,7 @@ ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectKernelLogs=yes ProtectSystem=strict Restart=always RestartSec=0 diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 819cb4dba29..87859f4aef3 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -27,6 +27,7 @@ ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectKernelLogs=yes ProtectSystem=strict ReadWritePaths=/etc RestrictAddressFamilies=AF_UNIX diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 1a866fcc7a8..f0486a70ab7 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -32,6 +32,7 @@ ProtectHome=yes ProtectHostname=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectKernelLogs=yes ProtectSystem=strict Restart=always RestartSec=0