Update TODO

TODO

@@ -32,6 +32,8 @@ Janitorial Clean-ups:
 
 Features:
 
+* switch to ProtectSystem=strict for all our long-running services where that's possible
+
 * introduce an "invocation ID" for units, that is randomly generated, and
   identifies each runtime-cycle of a unit. It should be set freshly each time
   we traverse inactive → activating/active, and should be the primary key to
@@ -40,8 +42,9 @@ Features:
   the cgroup of a services. The former is accessible without privileges, the
   latter ensures the ID cannot be faked.
 
-* Introduce ProtectSystem=strict for making the entire OS hierarchy read-only
-  except for a select few
+* If RootDirectory= is used, mount /proc, /sys, /dev into it, if not mounted yet
+
+* Permit masking specific netlink APIs with RestrictAddressFamily=
 
 * nspawn: start UID allocation loop from hash of container name
 
@@ -55,16 +58,14 @@ Features:
 
 * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
 
+* ProtectKernelModules= (drops CAP_SYS_MODULE and filters the kmod syscalls)
+
+* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
+
 * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
 
-* ProtectDevices= should also take iopl/ioperm/pciaccess away
-
 * ProtectKeyRing= to take keyring calls away
 
-* ProtectControlGroups= which mounts all of /sys/fs/cgroup read-only
-
-* ProtectKernelTunables= which mounts /sys and /proc/sys read-only
-
 * RemoveKeyRing= to remove all keyring entries of the specified user
 
 * Add DataDirectory=, CacheDirectory= and LogDirectory= to match
@@ -72,9 +73,6 @@ Features:
 
 * Add BindDirectory= for allowing arbitrary, private bind mounts for services
 
-* Beef up RootDirectory= to use namespacing/bind mounts as soon as fs
-  namespaces are enabled by the service
-
 * Add RootImage= for mounting a disk image or file as root directory
 
 * RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone)
@@ -180,7 +178,7 @@ Features:
 * implement a per-service firewall based on net_cls
 
 * Port various tools to make use of verbs.[ch], where applicable: busctl,
-  bootctl, coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl
+  coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl
 
 * hostnamectl: show root image uuid
 
@@ -293,9 +291,6 @@ Features:
 
 * MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
 
-* "busctl status" works only as root on dbus1, since we cannot read
-  /proc/$PID/exe
-
 * implement Distribute= in socket units to allow running multiple
   service instances processing the listening socket, and open this up
   for ReusePort=
@@ -306,8 +301,6 @@ Features:
   and passes this back to PID1 via SCM_RIGHTS. This also could be used
   to allow Chown/chgrp on sockets without requiring NSS in PID 1.
 
-* New service property: maximum CPU runtime for a service
-
 * introduce bus call FreezeUnit(s, b), as well as "systemctl freeze
   $UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls
   should SIGSTOP all unit processes in a loop until all processes of
@@ -344,12 +337,10 @@ Features:
   error. Currently, we just ignore it and read the unit from the search
   path anyway.
 
-* refuse boot if /etc/os-release is missing or /etc/machine-id cannot be set up
+* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
 
 * btrfs raid assembly: some .device jobs stay stuck in the queue
 
-* make sure gdm does not use multi-user-x but the new default X configuration file, and then remove multi-user-x from systemd
-
 * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
 
 * load .d/*.conf dropins for device units
@@ -606,9 +597,6 @@ Features:
 * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
 
 * nspawn:
-  - to allow "linking" of nspawn containers, extend --network-bridge= so
-    that it can dynamically create bridge interfaces that are refcounted
-    by the containers on them. For each group of containers to link together
   - nspawn -x should support ephemeral instances of gpt images
   - emulate /dev/kmsg using CUSE and turn off the syslog syscall
     with seccomp. That should provide us with a useful log buffer that
@@ -617,8 +605,6 @@ Features:
   - as soon as networkd has a bus interface, hook up --network-interface=,
     --network-bridge= with networkd, to trigger netdev creation should an
     interface be missing
-  - don't copy /etc/resolv.conf from host into container unless we are in
-    shared-network mode
   - a nice way to boot up without machine id set, so that it is set at boot
     automatically for supporting --ephemeral. Maybe hash the host machine id
     together with the machine name to generate the machine id for the container
@@ -684,7 +670,6 @@ Features:
 
 * coredump:
   - save coredump in Windows/Mozilla minidump format
-  - move PID 1 segfaults to /var/lib/systemd/coredump?
 
 * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
 
@@ -751,7 +736,6 @@ Features:
   - GC unreferenced jobs (such as .device jobs)
   - move PAM code into its own binary
   - when we automatically restart a service, ensure we restart its rdeps, too.
-  - for services: do not set $HOME in services unless requested
   - hide PAM options in fragment parser when compile time disabled
   - Support --test based on current system state
   - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().