diff options
author | Bastien Nocera <hadess@hadess.net> | 2018-04-16 09:02:44 +0200 |
---|---|---|
committer | Bastien Nocera <hadess@hadess.net> | 2018-04-16 10:04:51 +0200 |
commit | b0cdb7e9fe93b662d4f4a29b3af7f66ef3763c67 (patch) | |
tree | 94e633dde971af6e17aabdac2bb1fa2ca8dee8ce | |
parent | 40e525edbde41f24f53a3a5255fbace71c79261a (diff) | |
download | upower-b0cdb7e9fe93b662d4f4a29b3af7f66ef3763c67.tar.gz |
daemon: Lock down systemd service file
Use systemd's service file to lockdown the UPower daemon to stop
eventual security problems.
https://bugs.freedesktop.org/show_bug.cgi?id=102898
-rw-r--r-- | src/Makefile.am | 2 | ||||
-rw-r--r-- | src/upower.service.in | 23 |
2 files changed, 24 insertions, 1 deletions
diff --git a/src/Makefile.am b/src/Makefile.am index 17fdb8a..f7922a7 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -176,7 +176,7 @@ systemdservicedir = $(systemdsystemunitdir) systemdservice_DATA = $(systemdservice_in_files:.service.in=.service) $(systemdservice_DATA): $(systemdservice_in_files) Makefile - @sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@ + @sed -e "s|\@libexecdir\@|$(libexecdir)|" -e "s|\@historydir\@|$(historydir)|" $< > $@ endif install-data-hook: diff --git a/src/upower.service.in b/src/upower.service.in index d0945f0..835529a 100644 --- a/src/upower.service.in +++ b/src/upower.service.in @@ -8,5 +8,28 @@ BusName=org.freedesktop.UPower ExecStart=@libexecdir@/upowerd Restart=on-failure +# Filesystem lockdown +ProtectSystem=strict +ProtectKernelTunables=true +ProtectControlGroups=true +ReadWritePaths=@historydir@ +ProtectHome=true +PrivateTmp=true + +# Network +PrivateNetwork=true + +# Execute Mappings +MemoryDenyWriteExecute=true + +# Modules +ProtectKernelModules=true + +# Real-time +RestrictRealtime=true + +# Privilege escalation +NoNewPrivileges=true + [Install] WantedBy=graphical.target |