units: turn on RestrictSUIDSGID= in most of our long-running daemons

2026-03-06 15:02:31 -08:00 · 2019-03-20 19:52:20 +01:00
parent 7445db6eb7
commit 62aa29247c
11 changed files with 12 additions and 1 deletions
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -36,6 +36,7 @@ ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 RuntimeMaxSec=5min
 StateDirectory=systemd/coredump
 SystemCallArchitectures=native
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -32,6 +32,7 @@ ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service sethostname
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -30,6 +30,7 @@ ProtectSystem=strict
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 User=systemd-journal-remote
 WatchdogSec=3min
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -28,6 +28,7 @@ RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket
 StandardOutput=null
 SystemCallArchitectures=native
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -33,6 +33,7 @@ ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -40,6 +40,7 @@ RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown
 RuntimeDirectoryPreserve=yes
 SystemCallArchitectures=native
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -34,6 +34,7 @@ RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/netif
 RuntimeDirectoryPreserve=yes
 SystemCallArchitectures=native
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -38,6 +38,7 @@ RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/resolve
 RuntimeDirectoryPreserve=yes
 SystemCallArchitectures=native
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -31,6 +31,7 @@ ReadWritePaths=/etc
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 SystemCallErrorNumber=EPERM
 SystemCallFilter=@system-service @clock
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -38,6 +38,7 @@ RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
+RestrictSUIDSGID=yes
 RuntimeDirectory=systemd/timesync
 StateDirectory=systemd/timesync
 SystemCallArchitectures=native
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -28,8 +28,9 @@ TasksMax=infinity
 PrivateMounts=yes
 ProtectHostname=yes
 MemoryDenyWriteExecute=yes
-RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
 SystemCallFilter=@system-service @module @raw-io
 SystemCallErrorNumber=EPERM
 SystemCallArchitectures=native