units: deny access to block devices

While the need for access to character devices can be tricky to determine for the general case, it's obvious that most of our services have no need to access block devices. For logind and timedated this can be tightened further.
author: Topi Miettinen <toiwoton@gmail.com> 2019-05-01 14:28:36 +0200
committer: Lennart Poettering <lennart@poettering.net> 2019-06-20 14:03:57 +0200
commit: 9af2820694e1b2d409ed35cf0bca00acab0bdec5 (patch)
tree: bfb51a766ad692b4d6b17ee5519d6c0753f7a334 /units/systemd-journald.service.in
parent: Merge pull request #12762 from yuwata/network-introduce-carrier-and-network-s... (diff)
download: systemd-9af2820694e1b2d409ed35cf0bca00acab0bdec5.tar.xz
systemd-9af2820694e1b2d409ed35cf0bca00acab0bdec5.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index fab405502a..323334f6a3 100644
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -17,6 +17,7 @@ Before=sysinit.target
 
 [Service]
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE
+DeviceAllow=char-* rw
 ExecStart=@rootlibexecdir@/systemd-journald
 FileDescriptorStoreMax=4224
 IPAddressDeny=any
author	Topi Miettinen <toiwoton@gmail.com>	2019-05-01 14:28:36 +0200
committer	Lennart Poettering <lennart@poettering.net>	2019-06-20 14:03:57 +0200
commit	9af2820694e1b2d409ed35cf0bca00acab0bdec5 (patch)
tree	bfb51a766ad692b4d6b17ee5519d6c0753f7a334 /units/systemd-journald.service.in
parent	Merge pull request #12762 from yuwata/network-introduce-carrier-and-network-s... (diff)
download	systemd-9af2820694e1b2d409ed35cf0bca00acab0bdec5.tar.xz systemd-9af2820694e1b2d409ed35cf0bca00acab0bdec5.zip