update NEWS

2018-04-19 16:51:04 +02:00 · 2018-04-19 16:51:04 +02:00 · e01d9e2193
parent 6f659e5075
commit e01d9e2193
1 changed files with 9 additions and 0 deletions
--- a/9
+++ b/9
@ -46,6 +46,15 @@ CHANGES WITH 239 in spe:
          both runtime and persistent enablement/masking, i.e. it will remove
          any relevant symlinks both in /run and /etc.

+        * Note that all long-running system services shipped with systemd will
+          now default to a system call whitelist (rather than a blacklist, as
+          before). In particular, systemd-udevd will now enforce one too. For
+          most cases this should be safe, however downstream distributions
+          which disabled sandboxing of systemd-udevd (specifically the
+          MountFlags= setting), might want to disable this security feature
+          too, as the default whitelisting will prohibit all mount, swap,
+          reboot and clock changing operations from udev rules.
+
        * sd-boot acquired new loader configuration settings to optionally turn
          off Windows and MacOS boot partition discovery as well as
          reboot-into-firmware menu items. It is also able to pick a better