picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
29,921 Commits 2 Branches 0 Tags 166 MiB
Commit Graph

12 Commits

Author SHA1 Message Date
Lennart Poettering bff8f2543b units: set LockPersonality= for all our long-running services (#6819) 
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
 2017-09-14 19:45:40 +02:00
Lennart Poettering 635f3df5dc units: make use of the new !! ExecStart= prefix in systemd-resolved.service 
Let's make use of !! to run resolved with ambient capabilities on
systems supporting them.
 2017-08-10 15:04:32 +02:00
Yu Watanabe 4429c69f8d units: do not perform m4 if not necessary (#6575) 2017-08-09 09:13:41 -04:00
Dimitri John Ledkov defa8e675b resolved: Do not add .busname dependencies, when compiling without kdbus. 2015-03-19 17:27:39 +01:00
Lennart Poettering a24111cea6 Revert "units: add SecureBits" 
This reverts commit 6a716208b3.

Apparently this doesn't work.

http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
 2015-02-11 18:28:06 +01:00
Topi Miettinen 6a716208b3 units: add SecureBits 
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
 2015-02-11 17:33:36 +01:00
Lennart Poettering 0ef403877a units: turn on watchdog for resolved 2015-01-27 14:31:44 +01:00
Lennart Poettering 78ad7cf1b9 units: make resolved pull in its own .busname unit, but only on kdbus systems 
The daemon requires the busname unit to operate, since it contains the
policy that allows it to acquire its service name.
 2015-01-07 23:44:08 +01:00
Lennart Poettering 1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only 
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
 2014-06-04 18:12:55 +02:00
Lennart Poettering 417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units 
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
 2014-06-03 23:57:51 +02:00
Tom Gundersen 682265d5e2 resolved: run as unpriviliged "systemd-resolve" user 
This service is not yet network facing, but let's prepare nonetheless.
Currently all caps are dropped, but some may need to be kept in the
future.
 2014-06-03 10:40:28 +02:00
Tom Gundersen 091a364c80 resolved: add daemon to manage resolv.conf 
Also remove the equivalent functionality from networkd.
 2014-05-19 18:14:56 +02:00