diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-12-18 15:05:48 +0100 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2019-03-19 10:58:49 +0100 |
commit | 11dce8e29b2786a57cab2bfb4b1a39221cf7f2db (patch) | |
tree | 55450a9bad2914e6c9354fd3426267faa786fbeb /units | |
parent | 928df2c251501f9a693cfd292a8a05c45d1963e2 (diff) | |
download | systemd-11dce8e29b2786a57cab2bfb4b1a39221cf7f2db.tar.gz |
Revert "Revert "units: lock down logind with fs namespacing options""
This reverts commit 28f38a76345b7548700d2337dd8b9a8c3f5b0643.
The revert was done because Ubuntu CI was completely broken with it. Let's see
if it fares better now.
Diffstat (limited to 'units')
-rw-r--r-- | units/systemd-logind.service.in | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index a864f66c68..9c8938ec4a 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -21,19 +21,27 @@ After=dbus.socket [Service] BusName=org.freedesktop.login1 -CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE +CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG CAP_LINUX_IMMUTABLE ExecStart=@rootlibexecdir@/systemd-logind FileDescriptorStoreMax=512 IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHome=yes ProtectHostname=yes +ProtectKernelModules=yes +ProtectSystem=strict +ReadWritePaths=/etc /run Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes +RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown +RuntimeDirectoryPreserve=yes SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service |