summaryrefslogtreecommitdiff
path: root/src/core/unit.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2016-08-25 16:12:46 +0200
committerDjalal Harouni <tixxdz@opendz.org>2016-09-25 10:42:18 +0200
commit63bb64a056113d4be5fefb16604accf08c8c204a (patch)
treede25d811ab238a0d1ad3509ffb2ffd7a1f897259 /src/core/unit.c
parent3f815163ff8fdcdbd329680580df36f94e15325d (diff)
core: imply ProtectHome=read-only and ProtectSystem=strict if DynamicUser=1
Let's make sure that services that use DynamicUser=1 cannot leave files in the file system should the system accidentally have a world-writable directory somewhere. This effectively ensures that directories need to be whitelisted rather than blacklisted for access when DynamicUser=1 is set.
Diffstat (limited to 'src/core/unit.c')
-rw-r--r--src/core/unit.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/unit.c b/src/core/unit.c
index de22f657c6..5d284a359d 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -3377,8 +3377,14 @@ int unit_patch_contexts(Unit *u) {
return -ENOMEM;
}
+ /* If the dynamic user option is on, let's make sure that the unit can't leave its UID/GID
+ * around in the file system or on IPC objects. Hence enforce a strict sandbox. */
+
ec->private_tmp = true;
ec->remove_ipc = true;
+ ec->protect_system = PROTECT_SYSTEM_STRICT;
+ if (ec->protect_home == PROTECT_HOME_NO)
+ ec->protect_home = PROTECT_HOME_READ_ONLY;
}
}