|
Zbigniew Jędrzejewski-Szmek |
a74696 |
From 69860269011435e30e45713e44ba5adeaea8b546 Mon Sep 17 00:00:00 2001
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
Date: Wed, 3 Apr 2019 10:56:14 +0200
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
services"
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4.
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
---
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-coredump@.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-hostnamed.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-initctl.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-journal-remote.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-journald.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-localed.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-logind.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-machined.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-networkd.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-resolved.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-rfkill.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-timedated.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
units/systemd-timesyncd.service.in | 1 -
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
13 files changed, 13 deletions(-)
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index 951faa62a1..c3997d17d0 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-coredump@.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-coredump@.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
@@ -22,7 +22,6 @@ IPAddressDeny=any
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
Nice=9
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
OOMScoreAdjust=500
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateDevices=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateNetwork=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index 1365d749ca..c0d4b02418 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-hostnamed.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-hostnamed.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
IPAddressDeny=any
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateDevices=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateNetwork=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateTmp=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
index c276283908..f48d673d58 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-initctl.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-initctl.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
@@ -14,6 +14,5 @@ DefaultDependencies=no
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
[Service]
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ExecStart=@rootlibexecdir@/systemd-initctl
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
NotifyAccess=all
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
SystemCallArchitectures=native
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index 6181d15d77..11f7aefcce 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-journal-remote.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-journal-remote.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
@@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LogsDirectory=journal/remote
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateDevices=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateNetwork=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateTmp=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index 303d5a4826..f0eb094cf4 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-journald.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-journald.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
@@ -24,7 +24,6 @@ FileDescriptorStoreMax=4224
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
IPAddressDeny=any
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
Restart=always
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
RestartSec=0
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index 10ecff5184..f1578bd626 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-localed.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-localed.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
@@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
IPAddressDeny=any
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateDevices=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateNetwork=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateTmp=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index ccbe631586..81fbee6fb6 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-logind.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-logind.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
@@ -35,7 +35,6 @@ FileDescriptorStoreMax=512
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
IPAddressDeny=any
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
PrivateTmp=yes
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
ProtectControlGroups=yes
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
ProtectHome=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index fa344d487d..b8ca60ddcc 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-machined.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-machined.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
@@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
IPAddressDeny=any
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
2379dd |
ProtectHostname=yes
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
ProtectKernelLogs=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index 01931665a4..0531fcbf12 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-networkd.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-networkd.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
@@ -25,7 +25,6 @@ DeviceAllow=char-* rw
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ExecStart=!!@rootlibexecdir@/systemd-networkd
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ProtectControlGroups=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ProtectHome=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ProtectKernelModules=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index f73697832c..4b8aa68f07 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-resolved.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-resolved.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
@@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ExecStart=!!@rootlibexecdir@/systemd-resolved
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateDevices=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateTmp=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ProtectControlGroups=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
index 3abb958310..7447ed5b5b 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-rfkill.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-rfkill.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
@@ -18,7 +18,6 @@ Before=shutdown.target
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
[Service]
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ExecStart=@rootlibexecdir@/systemd-rfkill
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
StateDirectory=systemd/rfkill
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
TimeoutSec=30s
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
Type=notify
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index 87859f4aef..337067244e 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-timedated.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-timedated.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
@@ -20,7 +20,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
IPAddressDeny=any
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateTmp=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ProtectControlGroups=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ProtectHome=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
a74696 |
index f0486a70ab..bb1ce55977 100644
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
--- a/units/systemd-timesyncd.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
+++ b/units/systemd-timesyncd.service.in
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
@@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
LockPersonality=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
MemoryDenyWriteExecute=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
-NoNewPrivileges=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateDevices=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
PrivateTmp=yes
|
|
Zbigniew Jędrzejewski-Szmek |
b80d66 |
ProtectControlGroups=yes
|