journal: limit caps we pass to journald

diff --git a/NEWS b/NEWS
index 3ef4fbb8e8f20679573c2e44af789108daac1fcb..e95ac637ef47be0b668b4562f1ea976b3408da3c 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ CHANGES WITH 41:
           understood to set system wide environment variables
           dynamically at boot.
 
+       * We now limit the set of capabilities of systemd-journald.
+
         Contributions from: Benjamin Franzke, Kay Sievers, Lennart
         Poettering, Michael Olbrich, Michal Schmidt, Tom Gundersen,
         William Douglas

diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in
index 08858f38d79f5a4dcd2f57a15063da0d97dcbecb..c153d472c0c1d654346027b6b17cbf274dbbb06b 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -18,7 +18,7 @@ After=syslog.socket
 ExecStart=@rootlibexecdir@/systemd-journald
 NotifyAccess=all
 StandardOutput=null
-#CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_DAC_OVERRIDE
+CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER
 
 # Increase the default a bit in order to allow many simultaneous
 # services being run since we keep one fd open per service.