uuidd: Add hardening settings to uuidd.service

This limits what the uuid daemon has access to when it runs. Further improving this with additional option or making things even tighter is most likely possible. Signed-off-by: Andreas Henriksson <andreas@fatal.se>
author: Andreas Henriksson 2018-11-23 12:10:59 +0100
committer: Karel Zak 2018-11-29 10:37:08 +0100
commit: df8d991b241d3eec80a621372f0c80a59abbfdae (patch)
tree: ad2ae252a9931c719b804fd9abd6672216152230
parent: tests: add test images for drbd v08/v09 (diff)
download: kernel-qcow2-util-linux-df8d991b241d3eec80a621372f0c80a59abbfdae.tar.gz
kernel-qcow2-util-linux-df8d991b241d3eec80a621372f0c80a59abbfdae.tar.xz
kernel-qcow2-util-linux-df8d991b241d3eec80a621372f0c80a59abbfdae.zip
1 files changed, 11 insertions, 0 deletions
diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in
index a43b3c3e0..b4c9c4635 100644
--- a/misc-utils/uuidd.service.in
+++ b/misc-utils/uuidd.service.in
@@ -8,6 +8,17 @@ ExecStart=@usrsbin_execdir@/uuidd --socket-activation
 Restart=no
 User=uuidd
 Group=uuidd
+ProtectSystem=strict
+ProtectHome=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateUsers=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+MemoryDenyWriteExecute=yes
+SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io
 
 [Install]
 Also=uuidd.socket
author	Andreas Henriksson	2018-11-23 12:10:59 +0100
committer	Karel Zak	2018-11-29 10:37:08 +0100
commit	df8d991b241d3eec80a621372f0c80a59abbfdae (patch)
tree	ad2ae252a9931c719b804fd9abd6672216152230
parent	tests: add test images for drbd v08/v09 (diff)
download	kernel-qcow2-util-linux-df8d991b241d3eec80a621372f0c80a59abbfdae.tar.gz kernel-qcow2-util-linux-df8d991b241d3eec80a621372f0c80a59abbfdae.tar.xz kernel-qcow2-util-linux-df8d991b241d3eec80a621372f0c80a59abbfdae.zip