chiark / gitweb /
units: make use of PrivateTmp=yes and PrivateDevices=yes for all our long-running...
authorLennart Poettering <lennart@poettering.net>
Wed, 19 Mar 2014 15:45:28 +0000 (16:45 +0100)
committerLennart Poettering <lennart@poettering.net>
Wed, 19 Mar 2014 18:09:00 +0000 (19:09 +0100)
units/systemd-bus-driverd.service.in
units/systemd-bus-proxyd@.service.in
units/systemd-hostnamed.service.in
units/systemd-localed.service.in
units/systemd-machined.service.in
units/systemd-timedated.service.in

index 0bda403..5226486 100644 (file)
@@ -13,3 +13,5 @@ ExecStart=@rootlibexecdir@/systemd-bus-driverd
 BusName=org.freedesktop.DBus
 WatchdogSec=1min
 CapabilityBoundingSet=CAP_IPC_OWNER
 BusName=org.freedesktop.DBus
 WatchdogSec=1min
 CapabilityBoundingSet=CAP_IPC_OWNER
+PrivateTmp=yes
+PrivateDevices=yes
index 1bdb459..1a6458a 100644 (file)
@@ -15,3 +15,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
 ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main
 CapabilityBoundingSet=CAP_IPC_OWNER
 ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main
 CapabilityBoundingSet=CAP_IPC_OWNER
+PrivateTmp=yes
+PrivateDevices=yes
index 3f5ef75..c8bf848 100644 (file)
@@ -15,3 +15,5 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
 BusName=org.freedesktop.hostname1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE
 WatchdogSec=1min
 BusName=org.freedesktop.hostname1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE
 WatchdogSec=1min
+PrivateTmp=yes
+PrivateDevices=yes
index 1951123..6fb0565 100644 (file)
@@ -15,3 +15,5 @@ ExecStart=@rootlibexecdir@/systemd-localed
 BusName=org.freedesktop.locale1
 CapabilityBoundingSet=
 WatchdogSec=1min
 BusName=org.freedesktop.locale1
 CapabilityBoundingSet=
 WatchdogSec=1min
+PrivateTmp=yes
+PrivateDevices=yes
index 2679dce..2be1dcf 100644 (file)
@@ -17,3 +17,5 @@ ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL
 WatchdogSec=1min
 BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL
 WatchdogSec=1min
+PrivateTmp=yes
+PrivateDevices=yes
index f7fb657..5c90290 100644 (file)
@@ -15,3 +15,4 @@ ExecStart=@rootlibexecdir@/systemd-timedated
 BusName=org.freedesktop.timedate1
 CapabilityBoundingSet=CAP_SYS_TIME
 WatchdogSec=1min
 BusName=org.freedesktop.timedate1
 CapabilityBoundingSet=CAP_SYS_TIME
 WatchdogSec=1min
+PrivateTmp=yes