units: set LockPersonality= for all our long-running services (#6819)

Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.

diff --git a/TODO b/TODO
index e65733e..cabba10 100644 (file)
--- a/TODO
+++ b/TODO
@@ -27,8 +27,6 @@ Features:
 * dissect: when we discover squashfs, don't claim we had a "writable" partition
   in systemd-dissect
 
-* set LockPersonality= on all our services
-
 * Add AddUser= setting to unit files, similar to DynamicUser=1 which however
   creates a static, persistent user rather than a dynamic, transient user. We
   can leverage code from sysusers.d for this.

diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
index c699a80..d7eaf33 100644 (file)
--- a/units/systemd-coredump@.service.in
+++ b/units/systemd-coredump@.service.in
@@ -33,4 +33,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 StateDirectory=systemd/coredump

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index d29e9ff..9bb5ad8 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -29,4 +29,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 ReadWritePaths=/etc

diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 5876205..695a5f2 100644 (file)
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -23,3 +23,4 @@ RestrictNamespaces=net
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes

diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index fd7a971..b24d698 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -25,6 +25,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes
 
 # If there are many split upjournal files we need a lot of fds to
 # access them all and combine

diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index c24e673..92cec21 100644 (file)
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -27,6 +27,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes
 LogsDirectory=journal/remote
 
 [Install]

diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index b0bee39..98a4b2b 100644 (file)
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -28,6 +28,7 @@ RestrictRealtime=yes
 RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes
 StateDirectory=systemd/journal-upload
 
 # If there are many split up journal files we need a lot of fds to

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 1e86d63..07e03e7 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -29,6 +29,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service. Also, when

diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 90a9138..1366fa7 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -29,4 +29,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 ReadWritePaths=/etc

diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index f851373..f6daf77 100644 (file)
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -30,6 +30,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 FileDescriptorStoreMax=512
 
 # Increase the default a bit in order to allow many simultaneous

diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index a4f86aa..fb4df38 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -23,6 +23,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the

diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 3f0ad77..932dd63 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -34,6 +34,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 RuntimeDirectory=systemd/netif
 RuntimeDirectoryPreserve=yes
 

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index ba8d3f6..cda83ee 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -36,6 +36,7 @@ RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 RuntimeDirectory=systemd/resolve
 RuntimeDirectoryPreserve=yes
 

diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index 2b5f074..9fca1d1 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -27,4 +27,5 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 ReadWritePaths=/etc

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index a6e14d2..8d3f46c 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -38,6 +38,7 @@ RestrictNamespaces=yes
 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
+LockPersonality=yes
 StateDirectory=systemd/timesync
 
 [Install]

diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
index 3b92c6a..d3d13ed 100644 (file)
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@@ -28,3 +28,4 @@ MemoryDenyWriteExecute=yes
 RestrictRealtime=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallArchitectures=native
+LockPersonality=yes