mirror of
https://github.com/systemd/systemd
synced 2024-07-09 04:26:06 +00:00
units: add SecureBits
No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
This commit is contained in:
parent
c4c086a2e3
commit
6a716208b3
|
@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/hostnamed
|
||||||
ExecStart=@rootlibexecdir@/systemd-hostnamed
|
ExecStart=@rootlibexecdir@/systemd-hostnamed
|
||||||
BusName=org.freedesktop.hostname1
|
BusName=org.freedesktop.hostname1
|
||||||
CapabilityBoundingSet=CAP_SYS_ADMIN
|
CapabilityBoundingSet=CAP_SYS_ADMIN
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
|
|
|
@ -14,6 +14,7 @@ ExecStart=@rootlibexecdir@/systemd-importd
|
||||||
BusName=org.freedesktop.import1
|
BusName=org.freedesktop.import1
|
||||||
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP
|
CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
|
|
|
@ -11,6 +11,7 @@ Requires=systemd-journal-gatewayd.socket
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
|
ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
User=systemd-journal-gateway
|
User=systemd-journal-gateway
|
||||||
Group=systemd-journal-gateway
|
Group=systemd-journal-gateway
|
||||||
SupplementaryGroups=systemd-journal
|
SupplementaryGroups=systemd-journal
|
||||||
|
|
|
@ -13,6 +13,7 @@ Requires=systemd-journal-remote.socket
|
||||||
ExecStart=@rootlibexecdir@/systemd-journal-remote \
|
ExecStart=@rootlibexecdir@/systemd-journal-remote \
|
||||||
--listen-https=-3 \
|
--listen-https=-3 \
|
||||||
--output=/var/log/journal/remote/
|
--output=/var/log/journal/remote/
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
User=systemd-journal-remote
|
User=systemd-journal-remote
|
||||||
Group=systemd-journal-remote
|
Group=systemd-journal-remote
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
|
|
@ -12,6 +12,7 @@ After=network.target
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=@rootlibexecdir@/systemd-journal-upload \
|
ExecStart=@rootlibexecdir@/systemd-journal-upload \
|
||||||
--save-state
|
--save-state
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
User=systemd-journal-upload
|
User=systemd-journal-upload
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
|
|
|
@ -22,6 +22,7 @@ RestartSec=0
|
||||||
NotifyAccess=all
|
NotifyAccess=all
|
||||||
StandardOutput=null
|
StandardOutput=null
|
||||||
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
FileDescriptorStoreMax=1024
|
FileDescriptorStoreMax=1024
|
||||||
|
|
||||||
|
|
|
@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/localed
|
||||||
ExecStart=@rootlibexecdir@/systemd-localed
|
ExecStart=@rootlibexecdir@/systemd-localed
|
||||||
BusName=org.freedesktop.locale1
|
BusName=org.freedesktop.locale1
|
||||||
CapabilityBoundingSet=
|
CapabilityBoundingSet=
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
|
|
|
@ -24,6 +24,7 @@ Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
BusName=org.freedesktop.login1
|
BusName=org.freedesktop.login1
|
||||||
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
|
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
|
|
||||||
# Increase the default a bit in order to allow many simultaneous
|
# Increase the default a bit in order to allow many simultaneous
|
||||||
|
|
|
@ -16,6 +16,7 @@ After=machine.slice
|
||||||
ExecStart=@rootlibexecdir@/systemd-machined
|
ExecStart=@rootlibexecdir@/systemd-machined
|
||||||
BusName=org.freedesktop.machine1
|
BusName=org.freedesktop.machine1
|
||||||
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
|
CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
|
|
|
@ -23,6 +23,7 @@ Restart=on-failure
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
ExecStart=@rootlibexecdir@/systemd-networkd
|
ExecStart=@rootlibexecdir@/systemd-networkd
|
||||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
|
|
|
@ -21,6 +21,7 @@ Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
ExecStart=@rootlibexecdir@/systemd-resolved
|
ExecStart=@rootlibexecdir@/systemd-resolved
|
||||||
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
|
|
|
@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/timedated
|
||||||
ExecStart=@rootlibexecdir@/systemd-timedated
|
ExecStart=@rootlibexecdir@/systemd-timedated
|
||||||
BusName=org.freedesktop.timedate1
|
BusName=org.freedesktop.timedate1
|
||||||
CapabilityBoundingSet=CAP_SYS_TIME
|
CapabilityBoundingSet=CAP_SYS_TIME
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
WatchdogSec=1min
|
WatchdogSec=1min
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
ProtectSystem=yes
|
ProtectSystem=yes
|
||||||
|
|
|
@ -23,6 +23,7 @@ Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
ExecStart=@rootlibexecdir@/systemd-timesyncd
|
ExecStart=@rootlibexecdir@/systemd-timesyncd
|
||||||
CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
|
||||||
|
SecureBits=noroot noroot-locked
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
ProtectSystem=full
|
ProtectSystem=full
|
||||||
|
|
Loading…
Reference in New Issue
Block a user