core: introduce ProtectSystem=strict

Let's tighten our sandbox a bit more: with this change ProtectSystem= gains a new setting "strict". If set, the entire directory tree of the system is mounted read-only, but the API file systems /proc, /dev, /sys are excluded (they may be managed with PrivateDevices= and ProtectKernelTunables=). Also, /home and /root are excluded as those are left for ProtectHome= to manage. In this mode, all "real" file systems (i.e. non-API file systems) are mounted read-only, and specific directories may only be excluded via ReadWriteDirectories=, thus implementing an effective whitelist instead of blacklist of writable directories. While we are at, also add /efi to the list of paths always affected by ProtectSystem=. This is a follow-up for b52a109ad38cd37b660ccd5394ff5c171a5e5355 which added /efi as alternative for /boot. Our namespacing logic should respect that too.
author: Lennart Poettering <lennart@poettering.net> 2016-08-25 15:57:21 +0200
committer: Djalal Harouni <tixxdz@opendz.org> 2016-09-25 10:42:18 +0200
commit: 3f815163ff8fdcdbd329680580df36f94e15325d (patch)
tree: 1436ba9f8a74ad8c6f4311764b7591a8283a5c00 /src/core/namespace.h
parent: 160cfdbed3eb23b6bc3c17613685b756f23be4a1 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/src/core/namespace.h b/src/core/namespace.h
index 3845336287..6505bcc499 100644
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -35,6 +35,7 @@ typedef enum ProtectSystem {
         PROTECT_SYSTEM_NO,
         PROTECT_SYSTEM_YES,
         PROTECT_SYSTEM_FULL,
+        PROTECT_SYSTEM_STRICT,
         _PROTECT_SYSTEM_MAX,
         _PROTECT_SYSTEM_INVALID = -1
 } ProtectSystem;
author	Lennart Poettering <lennart@poettering.net>	2016-08-25 15:57:21 +0200
committer	Djalal Harouni <tixxdz@opendz.org>	2016-09-25 10:42:18 +0200
commit	3f815163ff8fdcdbd329680580df36f94e15325d (patch)
tree	1436ba9f8a74ad8c6f4311764b7591a8283a5c00 /src/core/namespace.h
parent	160cfdbed3eb23b6bc3c17613685b756f23be4a1 (diff)