daemon: Lock down systemd service file

Use systemd's service file to lockdown the UPower daemon to stop eventual security problems. https://bugs.freedesktop.org/show_bug.cgi?id=102898
2026-05-08 08:58:07 +02:00 · 2018-04-16 09:02:44 +02:00 · 2018-04-16 09:02:44 +02:00 · b0cdb7e9fe
commit b0cdb7e9fe
parent 40e525edbd
2 changed files with 24 additions and 1 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -176,7 +176,7 @@ systemdservicedir       = $(systemdsystemunitdir)
 systemdservice_DATA     = $(systemdservice_in_files:.service.in=.service)

 $(systemdservice_DATA): $(systemdservice_in_files) Makefile
-	@sed -e "s|\@libexecdir\@|$(libexecdir)|" $< > $@
+	@sed -e "s|\@libexecdir\@|$(libexecdir)|" -e "s|\@historydir\@|$(historydir)|" $< > $@
 endif

 install-data-hook:
--- a/src/upower.service.in
+++ b/src/upower.service.in
@ -8,5 +8,28 @@ BusName=org.freedesktop.UPower
 ExecStart=@libexecdir@/upowerd
 Restart=on-failure

+# Filesystem lockdown
+ProtectSystem=strict
+ProtectKernelTunables=true
+ProtectControlGroups=true
+ReadWritePaths=@historydir@
+ProtectHome=true
+PrivateTmp=true
+
+# Network
+PrivateNetwork=true
+
+# Execute Mappings
+MemoryDenyWriteExecute=true
+
+# Modules
+ProtectKernelModules=true
+
+# Real-time
+RestrictRealtime=true
+
+# Privilege escalation
+NoNewPrivileges=true
+
 [Install]
 WantedBy=graphical.target