[systemd-commits] 2 commits - src/udev units/systemd-hostnamed.service.in units/systemd-importd.service.in units/systemd-journal-gatewayd.service.in units/systemd-journal-remote.service.in units/systemd-journal-upload.service.in units/systemd-journald.service.in units/systemd-localed.service.in units/systemd-logind.service.in units/systemd-machined.service.in units/systemd-networkd.service.in units/systemd-resolved.service.in units/systemd-timedated.service.in units/systemd-timesyncd.service.in

Lennart Poettering lennart at kemper.freedesktop.org
Wed Feb 11 09:02:06 PST 2015 

 src/udev/ata_id/ata_id.c                  |    4 ----
 units/systemd-hostnamed.service.in        |    1 +
 units/systemd-importd.service.in          |    1 +
 units/systemd-journal-gatewayd.service.in |    1 +
 units/systemd-journal-remote.service.in   |    1 +
 units/systemd-journal-upload.service.in   |    1 +
 units/systemd-journald.service.in         |    1 +
 units/systemd-localed.service.in          |    1 +
 units/systemd-logind.service.in           |    1 +
 units/systemd-machined.service.in         |    1 +
 units/systemd-networkd.service.in         |    1 +
 units/systemd-resolved.service.in         |    1 +
 units/systemd-timedated.service.in        |    1 +
 units/systemd-timesyncd.service.in        |    1 +
 14 files changed, 13 insertions(+), 4 deletions(-)

New commits:
commit e203dc1076dd5c1485509975a4c63c8328c262f4
Author: Robert Milasan <rmilasan at suse.com>
Date:   Thu Feb 5 14:19:35 2015 +0100

    ata_id: remove unused header files
    
    Signed-off-by: Robert Milasan <rmilasan at suse.com>

diff --git a/src/udev/ata_id/ata_id.c b/src/udev/ata_id/ata_id.c
index 31bc167..9e4f674 100644
--- a/src/udev/ata_id/ata_id.c
+++ b/src/udev/ata_id/ata_id.c
@@ -34,12 +34,8 @@
 #include <sys/ioctl.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#include <linux/types.h>
 #include <linux/hdreg.h>
-#include <linux/fs.h>
-#include <linux/cdrom.h>
 #include <linux/bsg.h>
-#include <arpa/inet.h>
 
 #include "libudev.h"
 #include "libudev-private.h"

commit 6a716208b346b742053cfd01e76f76fb27c4ea47
Author: Topi Miettinen <toiwoton at gmail.com>
Date:   Wed Feb 11 18:32:14 2015 +0200

    units: add SecureBits
    
    No setuid programs are expected to be executed, so add
    SecureBits=noroot noroot-locked
    to unit files.

diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index cc88ecd..259b451 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/hostnamed
 ExecStart=@rootlibexecdir@/systemd-hostnamed
 BusName=org.freedesktop.hostname1
 CapabilityBoundingSet=CAP_SYS_ADMIN
+SecureBits=noroot noroot-locked
 WatchdogSec=1min
 PrivateTmp=yes
 PrivateDevices=yes
diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in
index 26759ea..189c763 100644
--- a/units/systemd-importd.service.in
+++ b/units/systemd-importd.service.in
@@ -14,6 +14,7 @@ ExecStart=@rootlibexecdir@/systemd-importd
 BusName=org.freedesktop.import1
 CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_SYS_ADMIN CAP_SETPCAP
 NoNewPrivileges=yes
+SecureBits=noroot noroot-locked
 WatchdogSec=1min
 PrivateTmp=yes
 ProtectSystem=full
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in
index 987220e..f15a37f 100644
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -11,6 +11,7 @@ Requires=systemd-journal-gatewayd.socket
 
 [Service]
 ExecStart=@rootlibexecdir@/systemd-journal-gatewayd
+SecureBits=noroot noroot-locked
 User=systemd-journal-gateway
 Group=systemd-journal-gateway
 SupplementaryGroups=systemd-journal
diff --git a/units/systemd-journal-remote.service.in b/units/systemd-journal-remote.service.in
index 4a898d6..afa35e6 100644
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@@ -13,6 +13,7 @@ Requires=systemd-journal-remote.socket
 ExecStart=@rootlibexecdir@/systemd-journal-remote \
           --listen-https=-3 \
           --output=/var/log/journal/remote/
+SecureBits=noroot noroot-locked
 User=systemd-journal-remote
 Group=systemd-journal-remote
 PrivateTmp=yes
diff --git a/units/systemd-journal-upload.service.in b/units/systemd-journal-upload.service.in
index b2e3c76..f8524ca 100644
--- a/units/systemd-journal-upload.service.in
+++ b/units/systemd-journal-upload.service.in
@@ -12,6 +12,7 @@ After=network.target
 [Service]
 ExecStart=@rootlibexecdir@/systemd-journal-upload \
           --save-state
+SecureBits=noroot noroot-locked
 User=systemd-journal-upload
 PrivateTmp=yes
 PrivateDevices=yes
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index a3540c6..b48e4ad 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -22,6 +22,7 @@ RestartSec=0
 NotifyAccess=all
 StandardOutput=null
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+SecureBits=noroot noroot-locked
 WatchdogSec=1min
 FileDescriptorStoreMax=1024
 
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index bfa0978..d2fbf30 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/localed
 ExecStart=@rootlibexecdir@/systemd-localed
 BusName=org.freedesktop.locale1
 CapabilityBoundingSet=
+SecureBits=noroot noroot-locked
 WatchdogSec=1min
 PrivateTmp=yes
 PrivateDevices=yes
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
index f087e99..471278a 100644
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@@ -24,6 +24,7 @@ Restart=always
 RestartSec=0
 BusName=org.freedesktop.login1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG
+SecureBits=noroot noroot-locked
 WatchdogSec=1min
 
 # Increase the default a bit in order to allow many simultaneous
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 15f34d9..0cb823e 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -16,6 +16,7 @@ After=machine.slice
 ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH
+SecureBits=noroot noroot-locked
 WatchdogSec=1min
 PrivateTmp=yes
 PrivateDevices=yes
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 5a91b8e..057cc8c 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -23,6 +23,7 @@ Restart=on-failure
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-networkd
 CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+SecureBits=noroot noroot-locked
 ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=1min
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index b643da9..00967e3 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -21,6 +21,7 @@ Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-resolved
 CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+SecureBits=noroot noroot-locked
 ProtectSystem=full
 ProtectHome=yes
 WatchdogSec=1min
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index fe5ccb4..9083e28 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -14,6 +14,7 @@ Documentation=http://www.freedesktop.org/wiki/Software/systemd/timedated
 ExecStart=@rootlibexecdir@/systemd-timedated
 BusName=org.freedesktop.timedate1
 CapabilityBoundingSet=CAP_SYS_TIME
+SecureBits=noroot noroot-locked
 WatchdogSec=1min
 PrivateTmp=yes
 ProtectSystem=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 39edafc..bc7aa26 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -23,6 +23,7 @@ Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-timesyncd
 CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+SecureBits=noroot noroot-locked
 PrivateTmp=yes
 PrivateDevices=yes
 ProtectSystem=full

More information about the systemd-commits mailing list