diff options
| author | Djalal Harouni <tixxdz@opendz.org> | 2016-10-12 13:31:21 +0200 |
|---|---|---|
| committer | Djalal Harouni <tixxdz@opendz.org> | 2016-10-12 13:31:21 +0200 |
| commit | 502d704e5ed2d288069471f4e3611115cde107d6 (patch) | |
| tree | 4f477c49d4ce8b979479735bcc4f4043b2df111b /src/core/load-fragment-gperf.gperf.m4 | |
| parent | 18e51a022c632344c4a48ba6ccb3475fad2a2c3b (diff) | |
core:sandbox: Add ProtectKernelModules= option
This is useful to turn off explicit module load and unload operations on modular
kernels. This option removes CAP_SYS_MODULE from the capability bounding set for
the unit, and installs a system call filter to block module system calls.
This option will not prevent the kernel from loading modules using the module
auto-load feature which is a system wide operation.
Diffstat (limited to 'src/core/load-fragment-gperf.gperf.m4')
| -rw-r--r-- | src/core/load-fragment-gperf.gperf.m4 | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index c49c1d6732..a700d853cc 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -90,6 +90,7 @@ $1.InaccessiblePaths, config_parse_namespace_path_strv, 0, $1.PrivateTmp, config_parse_bool, 0, offsetof($1, exec_context.private_tmp) $1.PrivateDevices, config_parse_bool, 0, offsetof($1, exec_context.private_devices) $1.ProtectKernelTunables, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_tunables) +$1.ProtectKernelModules, config_parse_bool, 0, offsetof($1, exec_context.protect_kernel_modules) $1.ProtectControlGroups, config_parse_bool, 0, offsetof($1, exec_context.protect_control_groups) $1.PrivateNetwork, config_parse_bool, 0, offsetof($1, exec_context.private_network) $1.PrivateUsers, config_parse_bool, 0, offsetof($1, exec_context.private_users) |