From d99a70529637d44cdd8f6ade3b981ea33f09d90d Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 19 Mar 2014 16:45:28 +0100 Subject: [PATCH] units: make use of PrivateTmp=yes and PrivateDevices=yes for all our long-running daemons --- units/systemd-bus-driverd.service.in | 2 ++ units/systemd-bus-proxyd@.service.in | 2 ++ units/systemd-hostnamed.service.in | 2 ++ units/systemd-localed.service.in | 2 ++ units/systemd-machined.service.in | 2 ++ units/systemd-timedated.service.in | 1 + 6 files changed, 11 insertions(+) diff --git a/units/systemd-bus-driverd.service.in b/units/systemd-bus-driverd.service.in index 0bda4037c..52264862c 100644 --- a/units/systemd-bus-driverd.service.in +++ b/units/systemd-bus-driverd.service.in @@ -13,3 +13,5 @@ ExecStart=@rootlibexecdir@/systemd-bus-driverd BusName=org.freedesktop.DBus WatchdogSec=1min CapabilityBoundingSet=CAP_IPC_OWNER +PrivateTmp=yes +PrivateDevices=yes diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.in index 1bdb459f7..1a6458ac5 100644 --- a/units/systemd-bus-proxyd@.service.in +++ b/units/systemd-bus-proxyd@.service.in @@ -15,3 +15,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx NotifyAccess=main CapabilityBoundingSet=CAP_IPC_OWNER +PrivateTmp=yes +PrivateDevices=yes diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 3f5ef75c0..c8bf8480c 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -15,3 +15,5 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed BusName=org.freedesktop.hostname1 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE WatchdogSec=1min +PrivateTmp=yes +PrivateDevices=yes diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 1951123a0..6fb05655c 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -15,3 +15,5 @@ ExecStart=@rootlibexecdir@/systemd-localed BusName=org.freedesktop.locale1 CapabilityBoundingSet= WatchdogSec=1min +PrivateTmp=yes +PrivateDevices=yes diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 2679dced8..2be1dcf4e 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -17,3 +17,5 @@ ExecStart=@rootlibexecdir@/systemd-machined BusName=org.freedesktop.machine1 CapabilityBoundingSet=CAP_KILL WatchdogSec=1min +PrivateTmp=yes +PrivateDevices=yes diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index f7fb6577c..5c90290cd 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -15,3 +15,4 @@ ExecStart=@rootlibexecdir@/systemd-timedated BusName=org.freedesktop.timedate1 CapabilityBoundingSet=CAP_SYS_TIME WatchdogSec=1min +PrivateTmp=yes -- 2.30.2