|
 |
2379dd0 |
From 224a4eaf6701431af907179e313138213b60ce6c Mon Sep 17 00:00:00 2001
|
|
|
b80d668 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
|
2379dd0 |
Date: Wed, 3 Apr 2019 10:56:14 +0200
|
|
|
b80d668 |
Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
|
|
|
b80d668 |
services"
|
|
|
b80d668 |
|
|
|
b80d668 |
This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
|
|
|
b80d668 |
---
|
|
|
2379dd0 |
units/systemd-coredump@.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-hostnamed.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-initctl.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-journal-remote.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-journald.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-localed.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-logind.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-machined.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-networkd.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-resolved.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-rfkill.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-timedated.service.in | 1 -
|
|
|
2379dd0 |
units/systemd-timesyncd.service.in | 1 -
|
|
|
2379dd0 |
13 files changed, 13 deletions(-)
|
|
|
b80d668 |
|
|
|
b80d668 |
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
|
|
|
2379dd0 |
index afb2ab9d17..5babc11e4c 100644
|
|
|
b80d668 |
--- a/units/systemd-coredump@.service.in
|
|
|
b80d668 |
+++ b/units/systemd-coredump@.service.in
|
|
|
b80d668 |
@@ -22,7 +22,6 @@ IPAddressDeny=any
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
Nice=9
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
OOMScoreAdjust=500
|
|
|
b80d668 |
PrivateDevices=yes
|
|
|
b80d668 |
PrivateNetwork=yes
|
|
|
b80d668 |
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
|
|
|
2379dd0 |
index b4f606cf78..f7977e1504 100644
|
|
|
b80d668 |
--- a/units/systemd-hostnamed.service.in
|
|
|
b80d668 |
+++ b/units/systemd-hostnamed.service.in
|
|
|
b80d668 |
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
|
|
|
b80d668 |
IPAddressDeny=any
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
PrivateDevices=yes
|
|
|
b80d668 |
PrivateNetwork=yes
|
|
|
b80d668 |
PrivateTmp=yes
|
|
|
b80d668 |
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
|
|
|
b80d668 |
index c276283908..f48d673d58 100644
|
|
|
b80d668 |
--- a/units/systemd-initctl.service.in
|
|
|
b80d668 |
+++ b/units/systemd-initctl.service.in
|
|
|
b80d668 |
@@ -14,6 +14,5 @@ DefaultDependencies=no
|
|
|
b80d668 |
|
|
|
b80d668 |
[Service]
|
|
|
b80d668 |
ExecStart=@rootlibexecdir@/systemd-initctl
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
NotifyAccess=all
|
|
|
b80d668 |
SystemCallArchitectures=native
|
|
|
b80d668 |
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
|
|
|
2379dd0 |
index dd6322e62c..c867aca104 100644
|
|
|
b80d668 |
--- a/units/systemd-journal-remote.service.in
|
|
|
b80d668 |
+++ b/units/systemd-journal-remote.service.in
|
|
|
b80d668 |
@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
LogsDirectory=journal/remote
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
PrivateDevices=yes
|
|
|
b80d668 |
PrivateNetwork=yes
|
|
|
b80d668 |
PrivateTmp=yes
|
|
|
b80d668 |
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
|
|
|
2379dd0 |
index fab405502a..308622e9b3 100644
|
|
|
b80d668 |
--- a/units/systemd-journald.service.in
|
|
|
b80d668 |
+++ b/units/systemd-journald.service.in
|
|
|
b80d668 |
@@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224
|
|
|
b80d668 |
IPAddressDeny=any
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
Restart=always
|
|
|
b80d668 |
RestartSec=0
|
|
|
b80d668 |
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
|
|
b80d668 |
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
|
|
|
2379dd0 |
index 7bca34409a..05fb4f0c80 100644
|
|
|
b80d668 |
--- a/units/systemd-localed.service.in
|
|
|
b80d668 |
+++ b/units/systemd-localed.service.in
|
|
|
b80d668 |
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
|
|
|
b80d668 |
IPAddressDeny=any
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
PrivateDevices=yes
|
|
|
b80d668 |
PrivateNetwork=yes
|
|
|
b80d668 |
PrivateTmp=yes
|
|
|
b80d668 |
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
|
|
|
2379dd0 |
index 3eef95c661..53af530aea 100644
|
|
|
b80d668 |
--- a/units/systemd-logind.service.in
|
|
|
b80d668 |
+++ b/units/systemd-logind.service.in
|
|
|
b80d668 |
@@ -27,7 +27,6 @@ FileDescriptorStoreMax=512
|
|
|
b80d668 |
IPAddressDeny=any
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
2379dd0 |
PrivateTmp=yes
|
|
|
2379dd0 |
ProtectControlGroups=yes
|
|
|
2379dd0 |
ProtectHome=yes
|
|
|
b80d668 |
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
|
|
|
2379dd0 |
index d6deefea08..092abc128f 100644
|
|
|
b80d668 |
--- a/units/systemd-machined.service.in
|
|
|
b80d668 |
+++ b/units/systemd-machined.service.in
|
|
|
b80d668 |
@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
|
|
|
b80d668 |
IPAddressDeny=any
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
2379dd0 |
ProtectHostname=yes
|
|
|
b80d668 |
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
|
|
b80d668 |
RestrictRealtime=yes
|
|
|
b80d668 |
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
|
|
|
2379dd0 |
index 2c74da6f1e..eaabcb9941 100644
|
|
|
b80d668 |
--- a/units/systemd-networkd.service.in
|
|
|
b80d668 |
+++ b/units/systemd-networkd.service.in
|
|
|
b80d668 |
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N
|
|
|
b80d668 |
ExecStart=!!@rootlibexecdir@/systemd-networkd
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
ProtectControlGroups=yes
|
|
|
b80d668 |
ProtectHome=yes
|
|
|
b80d668 |
ProtectKernelModules=yes
|
|
|
b80d668 |
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
|
|
|
2379dd0 |
index eee5d5ea8f..a8f442ef6f 100644
|
|
|
b80d668 |
--- a/units/systemd-resolved.service.in
|
|
|
b80d668 |
+++ b/units/systemd-resolved.service.in
|
|
|
b80d668 |
@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
|
b80d668 |
ExecStart=!!@rootlibexecdir@/systemd-resolved
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
PrivateDevices=yes
|
|
|
b80d668 |
PrivateTmp=yes
|
|
|
b80d668 |
ProtectControlGroups=yes
|
|
|
b80d668 |
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
|
|
|
b80d668 |
index 3abb958310..7447ed5b5b 100644
|
|
|
b80d668 |
--- a/units/systemd-rfkill.service.in
|
|
|
b80d668 |
+++ b/units/systemd-rfkill.service.in
|
|
|
b80d668 |
@@ -18,7 +18,6 @@ Before=shutdown.target
|
|
|
b80d668 |
|
|
|
b80d668 |
[Service]
|
|
|
b80d668 |
ExecStart=@rootlibexecdir@/systemd-rfkill
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
StateDirectory=systemd/rfkill
|
|
|
b80d668 |
TimeoutSec=30s
|
|
|
b80d668 |
Type=notify
|
|
|
b80d668 |
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
|
|
|
2379dd0 |
index df546f471f..4d50999a22 100644
|
|
|
b80d668 |
--- a/units/systemd-timedated.service.in
|
|
|
b80d668 |
+++ b/units/systemd-timedated.service.in
|
|
|
b80d668 |
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
|
|
|
b80d668 |
IPAddressDeny=any
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
PrivateTmp=yes
|
|
|
b80d668 |
ProtectControlGroups=yes
|
|
|
b80d668 |
ProtectHome=yes
|
|
|
b80d668 |
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
|
|
|
2379dd0 |
index 6512531e1c..2b2e1d73d2 100644
|
|
|
b80d668 |
--- a/units/systemd-timesyncd.service.in
|
|
|
b80d668 |
+++ b/units/systemd-timesyncd.service.in
|
|
|
b80d668 |
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
|
|
|
b80d668 |
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
|
|
|
b80d668 |
LockPersonality=yes
|
|
|
b80d668 |
MemoryDenyWriteExecute=yes
|
|
|
b80d668 |
-NoNewPrivileges=yes
|
|
|
b80d668 |
PrivateDevices=yes
|
|
|
b80d668 |
PrivateTmp=yes
|
|
|
b80d668 |
ProtectControlGroups=yes
|