summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-10-02 14:51:49 +0200
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-10-03 07:36:59 -0400
commit4a77c53d64b91f8e622df7c7dec1579278f1e1ce (patch)
tree3c6a49a2b8543cbe0cbe42b0b50da6fbafc56942
parent2df225294fa620ba7654589eedf9d8dde368e0d0 (diff)
NEWS: add another batch of entries
-rw-r--r--NEWS76
-rw-r--r--TODO1
2 files changed, 61 insertions, 16 deletions
diff --git a/NEWS b/NEWS
index 5f3f76df4f..4a6a07ae18 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,36 @@ CHANGES WITH 232 in spe
* The new RemoveIPC= option can be used to remove IPC objects owned by
the user or group of a service when that service exits.
+ * ProtectSystem= option gained a new value "strict", which causes the
+ whole file system tree with the exception of /dev, /proc, and /sys,
+ to be remounted read-only for a service.
+
+ The new ProtectedKernelTunables= options can be used to disable
+ modification of configuration files in /sys and /proc by a service.
+ Various directories and files are remounted read-only, so access is
+ restricted even if the file permissions would allow it.
+
+ The new ProtectControlGroups= option can be used to disable write
+ access by a service to /sys/fs/cgroup.
+
+ * Various systemd services have been hardened with
+ ProtectKernelTunables=yes, ProtectControlGroups=yes,
+ RestrictAddressFamilies=.
+
+ In particular, systemd-udevd.service is now run in a Seccomp-based
+ sandbox that prohibits access to AF_INET and AF_INET6 sockets and
+ thus access to the network. This might break code that runs from udev
+ rules that tries to talk to the network. Doing that is generally a
+ bad idea and unsafe due to a variety of reasons. It's also racy as
+ device management would race against network configuration. It is
+ recommended to rework such rules to use the SYSTEMD_WANTS property on
+ the relevant devices to pull in a proper systemd service (which can
+ be sandboxed differently and ordered correctly after the network
+ having come up). If that's not possible consider reverting this
+ sandboxing feature locally by removing the RestrictAddressFamilies=
+ setting from the systemd-udevd.service unit file, or adding AF_INET
+ and AF_INET6 to it.
+
* Support for dynamically creating users for the lifetime of a service
has been added. If DynamicUser=yes is specified, user and group IDs
will be allocated from the range 61184..65519 for the lifetime of the
@@ -12,7 +42,9 @@ CHANGES WITH 232 in spe
module. The module must be enabled in /etc/nsswitch.conf. Services
started in this way have PrivateTmp= and RemoveIPC= enabled, so that
any resources allocated by the service will be cleaned up when the
- service exits.
+ service exits. They also have ProtectHome=read-only and
+ ProtectSystem=strict enabled, so they are not able to make any
+ permanent modifications to the system.
The nss-systemd module also always resolves root and nobody, making
it possible to have no /etc/passwd or /etc/group files in minimal
@@ -54,7 +86,7 @@ CHANGES WITH 232 in spe
mount the EFI partition on systems where /boot is used for something
else.
- * disk/by-id symlinks are now created for NVMe drives.
+ * disk/by-id and disk/by-path symlinks are now created for NVMe drives.
* Two new user session targets have been added to support running
graphical sessions under the systemd --user instance:
@@ -93,6 +125,9 @@ CHANGES WITH 232 in spe
* systemd-run gained a new --wait option that makes service execution
synchronous.
+ systemctl gained a new --wait option that causes the start command to
+ wait until the units being started have terminated again.
+
* A new journal output mode "short-full" has been added which uses
timestamps with abbreviated English day names and adds a timezone
suffix. Those timestamps include more information and can be parsed
@@ -106,6 +141,12 @@ CHANGES WITH 232 in spe
from a single IP can be limited with MaxConnectionsPerSource=,
extending the existing setting of MaxConnections.
+ * systemd-networkd gained support for vcan ("Virtual CAN") interface
+ configuration.
+
+ * .netdev and .network configuration can now be extended through
+ drop-ins.
+
* UDP Segmentation Offload, TCP Segmentation Offload, Generic
Segmentation Offload, Generic Receive Offload, Large Receive Offload
can be enabled and disabled using the new UDPSegmentationOffload=,
@@ -118,6 +159,10 @@ CHANGES WITH 232 in spe
new STP=, Priority=, AgeingTimeSec=, and DefaultPVID= settings in the
[Bridge] section of .netdev files.
+ The route table to which routes received over DHCP or RA should be
+ added can be configured with the new RouteTable= option in the [DHCP]
+ and [IPv6AcceptRA] sections of .network files.
+
Address Resolution Protocol can be disabled on links managed by
systemd-networkd using the ARP=no setting in the [Link] section of
.network files.
@@ -125,11 +170,24 @@ CHANGES WITH 232 in spe
* $SERVICE_RESULT, $EXIT_CODE, $EXIT_STATUS are set for ExecStop= and
ExecStopPost= commands.
+ * systemd-sysctl will now configure kernel parameters in the order
+ they occur in the configuration files. This mathes what sysctl
+ has been traditionally doing.
+
+ * kernel-install "plugins" that are executed to perform various
+ tasks after a new kernel is added and before an old one is removed
+ can now return a special value to terminate the procedure and
+ prevent any later plugins from running.
+
* Journald's SplitMode=login setting has been deprecated. It has been
removed from documentation, and it's use is discouraged. In a future
release it will be completely removed, and made equivalent to current
default of SplitMode=uid.
+ * Storage=both option setting in /etc/systemd/coredump.conf has been
+ removed. With fast LZ4 compression storing the core dump twice is not
+ useful.
+
* The --share-system systemd-nspawn option has been replaced with an
(undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of
this functionality is discouraged. In addition the variables
@@ -137,20 +195,6 @@ CHANGES WITH 232 in spe
$SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
individual namespaces.
- * systemd-udevd.service is now run in a Seccomp-based sandbox that
- prohibits access to AF_INET and AF_INET6 sockets and thus access to
- the network. This might break code that runs from udev rules that
- tries to talk to the network. Doing that is generally a bad idea and
- unsafe due to a variety of reasons. It's also racy as device
- management would race against network configuration. It is
- recommended to rework such rules to use the SYSTEMD_WANTS property on
- the relevant devices to pull in a proper systemd service (which can
- be sandboxed differently and ordered correctly after the network
- having come up). If that's not possible consider reverting this
- sandboxing feature locally by removing the RestrictAddressFamilies=
- setting from the systemd-udevd.service unit file, or adding AF_INET
- and AF_INET6 to it.
-
CHANGES WITH 231:
* In service units the various ExecXYZ= settings have been extended
diff --git a/TODO b/TODO
index ff9e9be9fb..f215a4944b 100644
--- a/TODO
+++ b/TODO
@@ -821,6 +821,7 @@ Features:
or interface down
- some servers don't do rapid commit without a filled in IA_NA, verify
this behavior
+ - RouteTable= ?
External: