main: add configuration option to alter capability bounding set for PID 1

This also ensures that caps dropped from the bounding set are also dropped from the inheritable set, to be extra-secure. Usually that should change very little though as the inheritable set is empty for all our uses anyway.
author: Lennart Poettering <lennart@poettering.net> 2012-05-24 04:00:56 +0200
committer: Lennart Poettering <lennart@poettering.net> 2012-05-24 04:00:56 +0200
commit: ec8927ca5940e809f0b72f530582c76f1db4f065 (patch)
tree: b230d2458088a82b879afc39a2752d5fc674974e /src/core/system.conf
parent: e056b01d8acea7fc06d52ef91d227d744faf5259 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/src/core/system.conf b/src/core/system.conf
index 2b14d3e31e..7b9171b803 100644
--- a/src/core/system.conf
+++ b/src/core/system.conf
@@ -24,3 +24,20 @@
 #JoinControllers=cpu,cpuacct
 #RuntimeWatchdogSec=0
 #ShutdownWatchdogSec=10min
+#CapabilityBoundingSet=
+#DefaultLimitCPU=
+#DefaultLimitFSIZE=
+#DefaultLimitDATA=
+#DefaultLimitSTACK=
+#DefaultLimitCORE=
+#DefaultLimitRSS=
+#DefaultLimitNOFILE=
+#DefaultLimitAS=
+#DefaultLimitNPROC=
+#DefaultLimitMEMLOCK=
+#DefaultLimitLOCKS=
+#DefaultLimitSIGPENDING=
+#DefaultLimitMSGQUEUE=
+#DefaultLimitNICE=
+#DefaultLimitRTPRIO=
+#DefaultLimitRTTIME=
author	Lennart Poettering <lennart@poettering.net>	2012-05-24 04:00:56 +0200
committer	Lennart Poettering <lennart@poettering.net>	2012-05-24 04:00:56 +0200
commit	ec8927ca5940e809f0b72f530582c76f1db4f065 (patch)
tree	b230d2458088a82b879afc39a2752d5fc674974e /src/core/system.conf
parent	e056b01d8acea7fc06d52ef91d227d744faf5259 (diff)