mirror of
https://github.com/systemd/systemd
synced 2024-10-07 08:40:44 +00:00
units: add ProtectClock=yes
Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated.
This commit is contained in:
parent
c3362c2f97
commit
cabc1c6d7a
|
@ -21,6 +21,7 @@ NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateNetwork=yes
|
PrivateNetwork=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectClock=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
|
|
|
@ -25,6 +25,7 @@ LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
OOMScoreAdjust=-250
|
OOMScoreAdjust=-250
|
||||||
|
ProtectClock=yes
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=0
|
RestartSec=0
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||||
|
|
|
@ -36,6 +36,7 @@ LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectClock=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
|
|
|
@ -26,6 +26,7 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd
|
||||||
LockPersonality=yes
|
LockPersonality=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
|
ProtectClock=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
|
|
|
@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
|
||||||
NoNewPrivileges=yes
|
NoNewPrivileges=yes
|
||||||
PrivateDevices=yes
|
PrivateDevices=yes
|
||||||
PrivateTmp=yes
|
PrivateTmp=yes
|
||||||
|
ProtectClock=yes
|
||||||
ProtectControlGroups=yes
|
ProtectControlGroups=yes
|
||||||
ProtectHome=yes
|
ProtectHome=yes
|
||||||
ProtectKernelModules=yes
|
ProtectKernelModules=yes
|
||||||
|
|
|
@ -16,6 +16,8 @@ Before=sysinit.target
|
||||||
ConditionPathIsReadWrite=/sys
|
ConditionPathIsReadWrite=/sys
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
|
DeviceAllow=block-* rwm
|
||||||
|
DeviceAllow=char-* rwm
|
||||||
Type=notify
|
Type=notify
|
||||||
# Note that udev also adjusts the OOM score internally and will reset the value internally for its workers
|
# Note that udev also adjusts the OOM score internally and will reset the value internally for its workers
|
||||||
OOMScoreAdjust=-1000
|
OOMScoreAdjust=-1000
|
||||||
|
@ -27,6 +29,7 @@ ExecReload=udevadm control --reload --timeout 0
|
||||||
KillMode=mixed
|
KillMode=mixed
|
||||||
TasksMax=infinity
|
TasksMax=infinity
|
||||||
PrivateMounts=yes
|
PrivateMounts=yes
|
||||||
|
ProtectClock=yes
|
||||||
ProtectHostname=yes
|
ProtectHostname=yes
|
||||||
MemoryDenyWriteExecute=yes
|
MemoryDenyWriteExecute=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
|
|
Loading…
Reference in a new issue