All of these gaps have already been patched. At the end of November and the beginning of December. Before the release of version 240.
Code:
cat /usr/lib/systemd/system/systemd-journald.service [Unit] Description=Journal Service Documentation=man:systemd-journald.service(8) man:journald.conf(5) DefaultDependencies=no Requires=systemd-journald.socket After=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket syslog.socket Before=sysinit.target [Service] CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE ExecStart=/usr/lib/systemd/systemd-journald FileDescriptorStoreMax=4224 IPAddressDeny=any LockPersonality=yes MemoryDenyWriteExecute=yes [B]NoNewPrivileges=yes[/B] Restart=always RestartSec=0 RestrictAddressFamilies=AF_UNIX AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes Sockets=systemd-journald.socket systemd-journald-dev-log.socket systemd-journald-audit.socket StandardOutput=null SystemCallArchitectures=native SystemCallErrorNumber=EPERM SystemCallFilter=@system-service Type=notify WatchdogSec=3min
Comment