units: prohibit all IP traffic on all our long-running services (#6921)

Let's lock things down further.
author: Lennart Poettering <lennart@poettering.net> 2017-10-04 14:16:28 +0200
committer: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> 2017-10-04 14:16:28 +0200
commit: 0a9b166b43e9d035034beb929ed2c892094af9dc (patch)
tree: b239afa158eff613401596702901c297a5ac5074 /units/systemd-machined.service.in
parent: man: empty string resets the list of NTP servers (#6984) (diff)
download: systemd-0a9b166b43e9d035034beb929ed2c892094af9dc.tar.xz
systemd-0a9b166b43e9d035034beb929ed2c892094af9dc.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index fb4df38293..03b9bf5c0d 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -24,6 +24,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
 SystemCallArchitectures=native
 LockPersonality=yes
+IPAddressDeny=any
 
 # Note that machined cannot be placed in a mount namespace, since it
 # needs access to the host's mount namespace in order to implement the
author	Lennart Poettering <lennart@poettering.net>	2017-10-04 14:16:28 +0200
committer	Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>	2017-10-04 14:16:28 +0200
commit	0a9b166b43e9d035034beb929ed2c892094af9dc (patch)
tree	b239afa158eff613401596702901c297a5ac5074 /units/systemd-machined.service.in
parent	man: empty string resets the list of NTP servers (#6984) (diff)
download	systemd-0a9b166b43e9d035034beb929ed2c892094af9dc.tar.xz systemd-0a9b166b43e9d035034beb929ed2c892094af9dc.zip