Instead of blindly creating another bind mount for read-only mounts,
check if there's already one we can use, and if so, use it. Also,
recursively mark all submounts read-only too. Also, ignore autofs mounts
when remounting read-only unless they are already triggered.
Restart=on-abnormal is similar to Restart=on-failure, but avoids
restarts on unclean exit codes (but still doing restarts on all
obviously unclean exits, such as timeouts, signals, coredumps, watchdog
timeouts).
Also see:
https://fedorahosted.org/fpc/ticket/191
sd_pid_notify() operates like sd_notify(), however operates on a
different PID (for example the parent PID of a process).
Make use of this in systemd-notify, so that message are sent from the
PID specified with --pid= rather than the usually shortlived PID of
systemd-notify itself.
This should increase the likelyhood that PID 1 can identify the cgroup
that the notification message was sent from properly.
This would otherwise unconditionally trigger any /boot autofs mount,
which we probably should avoid.
ProtectSystem= will now only cover /usr and (optionally) /etc, both of
which cannot be autofs anyway.
ProtectHome will continue to cover /run/user and /home. The former
cannot be autofs either. /home could be, however is frequently enough
used (unlikey /boot) so that it isn't too problematic to simply trigger
it unconditionally via ProtectHome=.
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.
With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
systemd fails to build (symbols not found/resolved during cgls link step)
under gcc-4.9.0 due to link-time optimization (lto) changes, in particular
from gcc-4.9.0/NEWS:
+ When using a linker plugin, compiling with the -flto option
now generates slim objects files (.o) which only contain
intermediate language representation for LTO. Use
-ffat-lto-objects to create files which contain additionally
the object code. To generate static libraries suitable for LTO
processing, use gcc-ar and gcc-ranlib; to list symbols from a
slim object file use gcc-nm. (Requires that ar, ranlib and nm
have been compiled with plugin support.)
Both -flto and -ffat-lto-objects are now needed when building and linking
against static libs w/LTO.
Now that we moved the actual syslog socket to
/run/systemd/journal/dev-log we can actually make /dev/log a symlink to
it, when PrivateDevices= is used, thus making syslog available to
services using PrivateDevices=.
With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO
nodes in the file system, with the same lifecycle as the socket itself.
This has two benefits: first, this allows us to remove /dev/log and
/dev/initctl from /dev, thus leaving only symlinks, device nodes and
directories in the /dev tree. More importantly however, this allows us
to move /dev/log out of /dev, while still making it accessible there, so
that PrivateDevices= can provide /dev/log too.
This should make sure that fdisk-like programs will automatically
cause an update of all partitions, just like mkfs-like programs cause
an update of the partition.
Either become uid/gid of the client we have been forked for, or become
the "systemd-bus-proxy" user if the client was root. We retain
CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
Configuration will be in
root:root /run/systemd/network
and state will be in
systemd-network:systemd-network /run/systemd/netif
This matches what we do for logind's seat/session state.
Lennart Poettering