naccyde / rpms / systemd

Forked from rpms/systemd a year ago
Clone
36e8a3
From e143339ac712f745727951973417ce93b5d06d78 Mon Sep 17 00:00:00 2001
36e8a3
From: Michal Sekletar <msekleta@redhat.com>
36e8a3
Date: Fri, 12 Oct 2018 14:50:09 +0000
36e8a3
Subject: [PATCH] units: don't enable per-service IP firewall by default
36e8a3
36e8a3
Resolves: #1630219
36e8a3
---
36e8a3
 units/systemd-coredump@.service.in | 1 -
36e8a3
 units/systemd-hostnamed.service.in | 1 -
36e8a3
 units/systemd-journald.service.in  | 1 -
36e8a3
 units/systemd-localed.service.in   | 1 -
36e8a3
 units/systemd-logind.service.in    | 1 -
36e8a3
 units/systemd-machined.service.in  | 1 -
36e8a3
 units/systemd-portabled.service.in | 1 -
36e8a3
 units/systemd-timedated.service.in | 1 -
36e8a3
 units/systemd-udevd.service.in     | 1 -
36e8a3
 9 files changed, 9 deletions(-)
36e8a3
36e8a3
diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in
36e8a3
index 215696ecd..68a68a505 100644
36e8a3
--- a/units/systemd-coredump@.service.in
36e8a3
+++ b/units/systemd-coredump@.service.in
36e8a3
@@ -37,5 +37,4 @@ SystemCallFilter=@system-service
36e8a3
 SystemCallErrorNumber=EPERM
36e8a3
 SystemCallArchitectures=native
36e8a3
 LockPersonality=yes
36e8a3
-IPAddressDeny=any
36e8a3
 StateDirectory=systemd/coredump
36e8a3
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
36e8a3
index da74b4fe8..4e5470dd2 100644
36e8a3
--- a/units/systemd-hostnamed.service.in
36e8a3
+++ b/units/systemd-hostnamed.service.in
36e8a3
@@ -33,5 +33,4 @@ SystemCallFilter=@system-service sethostname
36e8a3
 SystemCallErrorNumber=EPERM
36e8a3
 SystemCallArchitectures=native
36e8a3
 LockPersonality=yes
36e8a3
-IPAddressDeny=any
36e8a3
 ReadWritePaths=/etc
36e8a3
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
36e8a3
index 8f5021d0d..2d5fd0120 100644
36e8a3
--- a/units/systemd-journald.service.in
36e8a3
+++ b/units/systemd-journald.service.in
36e8a3
@@ -33,7 +33,6 @@ SystemCallFilter=@system-service
36e8a3
 SystemCallErrorNumber=EPERM
36e8a3
 SystemCallArchitectures=native
36e8a3
 LockPersonality=yes
36e8a3
-IPAddressDeny=any
36e8a3
 
36e8a3
 # Increase the default a bit in order to allow many simultaneous
36e8a3
 # services being run since we keep one fd open per service. Also, when
36e8a3
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
36e8a3
index a24e61a0c..ce043db15 100644
36e8a3
--- a/units/systemd-localed.service.in
36e8a3
+++ b/units/systemd-localed.service.in
36e8a3
@@ -33,5 +33,4 @@ SystemCallFilter=@system-service
36e8a3
 SystemCallErrorNumber=EPERM
36e8a3
 SystemCallArchitectures=native
36e8a3
 LockPersonality=yes
36e8a3
-IPAddressDeny=any
36e8a3
 ReadWritePaths=/etc
36e8a3
diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in
36e8a3
index 5e090bcf2..6953fac55 100644
36e8a3
--- a/units/systemd-logind.service.in
36e8a3
+++ b/units/systemd-logind.service.in
36e8a3
@@ -34,7 +34,6 @@ SystemCallFilter=@system-service
36e8a3
 SystemCallErrorNumber=EPERM
36e8a3
 SystemCallArchitectures=native
36e8a3
 LockPersonality=yes
36e8a3
-IPAddressDeny=any
36e8a3
 FileDescriptorStoreMax=512
36e8a3
 
36e8a3
 # Increase the default a bit in order to allow many simultaneous
36e8a3
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
36e8a3
index 1200a90a6..dec2c4b0d 100644
36e8a3
--- a/units/systemd-machined.service.in
36e8a3
+++ b/units/systemd-machined.service.in
36e8a3
@@ -27,7 +27,6 @@ SystemCallFilter=@system-service @mount
36e8a3
 SystemCallErrorNumber=EPERM
36e8a3
 SystemCallArchitectures=native
36e8a3
 LockPersonality=yes
36e8a3
-IPAddressDeny=any
36e8a3
 
36e8a3
 # Note that machined cannot be placed in a mount namespace, since it
36e8a3
 # needs access to the host's mount namespace in order to implement the
36e8a3
diff --git a/units/systemd-portabled.service.in b/units/systemd-portabled.service.in
36e8a3
index a868f61db..64f14071e 100644
36e8a3
--- a/units/systemd-portabled.service.in
36e8a3
+++ b/units/systemd-portabled.service.in
36e8a3
@@ -23,4 +23,3 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
36e8a3
 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
36e8a3
 SystemCallArchitectures=native
36e8a3
 LockPersonality=yes
36e8a3
-IPAddressDeny=any
36e8a3
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
36e8a3
index 906bb4326..662b39557 100644
36e8a3
--- a/units/systemd-timedated.service.in
36e8a3
+++ b/units/systemd-timedated.service.in
36e8a3
@@ -31,5 +31,4 @@ SystemCallFilter=@system-service @clock
36e8a3
 SystemCallErrorNumber=EPERM
36e8a3
 SystemCallArchitectures=native
36e8a3
 LockPersonality=yes
36e8a3
-IPAddressDeny=any
36e8a3
 ReadWritePaths=/etc
36e8a3
diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in
36e8a3
index 6a3814e5d..fd9ead3bb 100644
36e8a3
--- a/units/systemd-udevd.service.in
36e8a3
+++ b/units/systemd-udevd.service.in
36e8a3
@@ -33,4 +33,3 @@ SystemCallFilter=@system-service @module @raw-io
36e8a3
 SystemCallErrorNumber=EPERM
36e8a3
 SystemCallArchitectures=native
36e8a3
 LockPersonality=yes
36e8a3
-IPAddressDeny=any