From 224a4eaf6701431af907179e313138213b60ce6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 3 Apr 2019 10:56:14 +0200 Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running services" This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4. --- units/systemd-coredump@.service.in | 1 - units/systemd-hostnamed.service.in | 1 - units/systemd-initctl.service.in | 1 - units/systemd-journal-remote.service.in | 1 - units/systemd-journald.service.in | 1 - units/systemd-localed.service.in | 1 - units/systemd-logind.service.in | 1 - units/systemd-machined.service.in | 1 - units/systemd-networkd.service.in | 1 - units/systemd-resolved.service.in | 1 - units/systemd-rfkill.service.in | 1 - units/systemd-timedated.service.in | 1 - units/systemd-timesyncd.service.in | 1 - 13 files changed, 13 deletions(-) diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index afb2ab9d17..5babc11e4c 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -22,7 +22,6 @@ IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes Nice=9 -NoNewPrivileges=yes OOMScoreAdjust=500 PrivateDevices=yes PrivateNetwork=yes diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index b4f606cf78..f7977e1504 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in index c276283908..f48d673d58 100644 --- a/units/systemd-initctl.service.in +++ b/units/systemd-initctl.service.in @@ -14,6 +14,5 @@ DefaultDependencies=no [Service] ExecStart=@rootlibexecdir@/systemd-initctl -NoNewPrivileges=yes NotifyAccess=all SystemCallArchitectures=native diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index dd6322e62c..c867aca104 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va LockPersonality=yes LogsDirectory=journal/remote MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index fab405502a..308622e9b3 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -22,7 +22,6 @@ FileDescriptorStoreMax=4224 IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 7bca34409a..05fb4f0c80 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index 3eef95c661..53af530aea 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -27,7 +27,6 @@ FileDescriptorStoreMax=512 IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index d6deefea08..092abc128f 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes ProtectHostname=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictRealtime=yes diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 2c74da6f1e..eaabcb9941 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N ExecStart=!!@rootlibexecdir@/systemd-networkd LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index eee5d5ea8f..a8f442ef6f 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE ExecStart=!!@rootlibexecdir@/systemd-resolved LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectControlGroups=yes diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in index 3abb958310..7447ed5b5b 100644 --- a/units/systemd-rfkill.service.in +++ b/units/systemd-rfkill.service.in @@ -18,7 +18,6 @@ Before=shutdown.target [Service] ExecStart=@rootlibexecdir@/systemd-rfkill -NoNewPrivileges=yes StateDirectory=systemd/rfkill TimeoutSec=30s Type=notify diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index df546f471f..4d50999a22 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 6512531e1c..2b2e1d73d2 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME ExecStart=!!@rootlibexecdir@/systemd-timesyncd LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectControlGroups=yes