diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-06-03 23:41:44 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-06-03 23:57:51 +0200 |
| commit | 417116f23432073162ebfcb286a7800846482eed (patch) | |
| tree | 8e6076d15760c8079deb32eff461e0cc3168fa61 /src/core/execute.c | |
| parent | 85b5673b337048fa881a5afb1d00d1a7b95950fb (diff) | |
core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
Diffstat (limited to 'src/core/execute.c')
| -rw-r--r-- | src/core/execute.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/src/core/execute.c b/src/core/execute.c index af8e7c725b..ce8b9bcb8b 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1569,7 +1569,9 @@ int exec_spawn(ExecCommand *command, !strv_isempty(context->inaccessible_dirs) || context->mount_flags != 0 || (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) || - context->private_devices) { + context->private_devices || + context->read_only_system || + context->protected_home != PROTECTED_HOME_NO) { char *tmp = NULL, *var = NULL; @@ -1593,8 +1595,9 @@ int exec_spawn(ExecCommand *command, tmp, var, context->private_devices, + context->protected_home, + context->read_only_system, context->mount_flags); - if (err < 0) { r = EXIT_NAMESPACE; goto fail_child; @@ -2111,6 +2114,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { "%sPrivateTmp: %s\n" "%sPrivateNetwork: %s\n" "%sPrivateDevices: %s\n" + "%sProtectedHome: %s\n" + "%sReadOnlySystem: %s\n" "%sIgnoreSIGPIPE: %s\n", prefix, c->umask, prefix, c->working_directory ? c->working_directory : "/", @@ -2119,6 +2124,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->private_tmp), prefix, yes_no(c->private_network), prefix, yes_no(c->private_devices), + prefix, protected_home_to_string(c->protected_home), + prefix, yes_no(c->read_only_system), prefix, yes_no(c->ignore_sigpipe)); STRV_FOREACH(e, c->environment) |