diff options
author | Djalal Harouni <tixxdz@opendz.org> | 2016-10-21 13:25:23 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-10-21 13:25:23 +0200 |
commit | 6fa441140ee6faf131c97b1aa002e060b81aaaff (patch) | |
tree | 5871a95b00a242de74ef66db12c8390af3ef6b4c /NEWS | |
parent | e0972037fb96f9241312bbb63e2fc454966ee2c9 (diff) |
NEWS: update NEWS about ProtectKernelModules= option (#4445)
Diffstat (limited to 'NEWS')
-rw-r--r-- | NEWS | 7 |
1 files changed, 5 insertions, 2 deletions
@@ -5,16 +5,19 @@ CHANGES WITH 232 in spe * The new RemoveIPC= option can be used to remove IPC objects owned by the user or group of a service when that service exits. + * The new ProtectKernelModules= option can be used to disable explicit + load and unload operations of kernel modules by a service. + * ProtectSystem= option gained a new value "strict", which causes the whole file system tree with the exception of /dev, /proc, and /sys, to be remounted read-only for a service. - The new ProtectedKernelTunables= options can be used to disable + * The new ProtectedKernelTunables= option can be used to disable modification of configuration files in /sys and /proc by a service. Various directories and files are remounted read-only, so access is restricted even if the file permissions would allow it. - The new ProtectControlGroups= option can be used to disable write + * The new ProtectControlGroups= option can be used to disable write access by a service to /sys/fs/cgroup. * Various systemd services have been hardened with |