morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 00:14:32 +09:00
Code Issues Packages Projects Releases Wiki Activity

units: restrict namespace for a good number of our own services

Browse Source 
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"
This commit is contained in:
Lennart Poettering
2017-02-09 10:28:23 +01:00
parent 7f396e5f66
commit 3c19d0b46b
10 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
units/systemd-importd.service.in
View File

@@ -19,6 +19,7 @@ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_
NoNewPrivileges=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictNamespaces=net
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io
SystemCallArchitectures=native