From 69860269011435e30e45713e44ba5adeaea8b546 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Wed, 3 Apr 2019 10:56:14 +0200 Subject: [PATCH] Revert "units: set NoNewPrivileges= for all long-running services" This reverts commit 64d7f7b4a15f1534fb19fda6b601fec50783bee4. --- units/systemd-coredump@.service.in | 1 - units/systemd-hostnamed.service.in | 1 - units/systemd-initctl.service.in | 1 - units/systemd-journal-remote.service.in | 1 - units/systemd-journald.service.in | 1 - units/systemd-localed.service.in | 1 - units/systemd-logind.service.in | 1 - units/systemd-machined.service.in | 1 - units/systemd-networkd.service.in | 1 - units/systemd-resolved.service.in | 1 - units/systemd-rfkill.service.in | 1 - units/systemd-timedated.service.in | 1 - units/systemd-timesyncd.service.in | 1 - 13 files changed, 13 deletions(-) diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index 951faa62a1..c3997d17d0 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -22,7 +22,6 @@ IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes Nice=9 -NoNewPrivileges=yes OOMScoreAdjust=500 PrivateDevices=yes PrivateNetwork=yes diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 1365d749ca..c0d4b02418 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes diff --git a/units/systemd-initctl.service.in b/units/systemd-initctl.service.in index c276283908..f48d673d58 100644 --- a/units/systemd-initctl.service.in +++ b/units/systemd-initctl.service.in @@ -14,6 +14,5 @@ DefaultDependencies=no [Service] ExecStart=@rootlibexecdir@/systemd-initctl -NoNewPrivileges=yes NotifyAccess=all SystemCallArchitectures=native diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in index 6181d15d77..11f7aefcce 100644 --- a/units/systemd-journal-remote.service.in +++ b/units/systemd-journal-remote.service.in @@ -17,7 +17,6 @@ ExecStart=@rootlibexecdir@/systemd-journal-remote --listen-https=-3 --output=/va LockPersonality=yes LogsDirectory=journal/remote MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 303d5a4826..f0eb094cf4 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -24,7 +24,6 @@ FileDescriptorStoreMax=4224 IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 10ecff5184..f1578bd626 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -19,7 +19,6 @@ ExecStart=@rootlibexecdir@/systemd-localed IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateNetwork=yes PrivateTmp=yes diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index ccbe631586..81fbee6fb6 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -35,7 +35,6 @@ FileDescriptorStoreMax=512 IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index fa344d487d..b8ca60ddcc 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -22,7 +22,6 @@ ExecStart=@rootlibexecdir@/systemd-machined IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes ProtectHostname=yes ProtectKernelLogs=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 01931665a4..0531fcbf12 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -25,7 +25,6 @@ DeviceAllow=char-* rw ExecStart=!!@rootlibexecdir@/systemd-networkd LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes ProtectControlGroups=yes ProtectHome=yes ProtectKernelModules=yes diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index f73697832c..4b8aa68f07 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -25,7 +25,6 @@ CapabilityBoundingSet=CAP_SETPCAP CAP_NET_RAW CAP_NET_BIND_SERVICE ExecStart=!!@rootlibexecdir@/systemd-resolved LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectControlGroups=yes diff --git a/units/systemd-rfkill.service.in b/units/systemd-rfkill.service.in index 3abb958310..7447ed5b5b 100644 --- a/units/systemd-rfkill.service.in +++ b/units/systemd-rfkill.service.in @@ -18,7 +18,6 @@ Before=shutdown.target [Service] ExecStart=@rootlibexecdir@/systemd-rfkill -NoNewPrivileges=yes StateDirectory=systemd/rfkill TimeoutSec=30s Type=notify diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 87859f4aef..337067244e 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -20,7 +20,6 @@ ExecStart=@rootlibexecdir@/systemd-timedated IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateTmp=yes ProtectControlGroups=yes ProtectHome=yes diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index f0486a70ab..bb1ce55977 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -24,7 +24,6 @@ CapabilityBoundingSet=CAP_SYS_TIME ExecStart=!!@rootlibexecdir@/systemd-timesyncd LockPersonality=yes MemoryDenyWriteExecute=yes -NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes ProtectControlGroups=yes