update TODO
This commit is contained in:
parent
2129011e92
commit
d47f681b28
10
TODO
10
TODO
|
@ -35,27 +35,17 @@ Features:
|
||||||
|
|
||||||
* RemoveIPC= in unit files for removing POSIX/SysV IPC objects
|
* RemoveIPC= in unit files for removing POSIX/SysV IPC objects
|
||||||
|
|
||||||
* Set SERVICE_RESULT= as env var while running ExecStop=
|
|
||||||
|
|
||||||
* Introduce ProtectSystem=strict for making the entire OS hierarchy read-only
|
* Introduce ProtectSystem=strict for making the entire OS hierarchy read-only
|
||||||
except for a select few
|
except for a select few
|
||||||
|
|
||||||
* nspawn: start UID allocation loop from hash of container name
|
* nspawn: start UID allocation loop from hash of container name
|
||||||
|
|
||||||
* in the DynamicUser=1 nss module, also map "nobody" and "root" statically
|
|
||||||
|
|
||||||
* pid1: log about all processes we kill with with SIGKILL or in abandoned scopes, as this should normally not happen
|
|
||||||
|
|
||||||
* nspawn: support that /proc, /sys/, /dev are pre-mounted
|
* nspawn: support that /proc, /sys/, /dev are pre-mounted
|
||||||
|
|
||||||
* nspawn: mount esp, so that bootctl can work
|
|
||||||
|
|
||||||
* define gpt header bits to select volatility mode
|
* define gpt header bits to select volatility mode
|
||||||
|
|
||||||
* nspawn: mount loopback filesystems with "discard"
|
* nspawn: mount loopback filesystems with "discard"
|
||||||
|
|
||||||
* Make TasksMax= take percentages, taken relative to the pids_max sysctl and pids.max cgroup limit
|
|
||||||
|
|
||||||
* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files
|
* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files
|
||||||
|
|
||||||
* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
|
* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
|
||||||
|
|
Loading…
Reference in New Issue