diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-08-25 16:12:46 +0200 |
---|---|---|
committer | Djalal Harouni <tixxdz@opendz.org> | 2016-09-25 10:42:18 +0200 |
commit | 63bb64a056113d4be5fefb16604accf08c8c204a (patch) | |
tree | de25d811ab238a0d1ad3509ffb2ffd7a1f897259 /src/core/unit.c | |
parent | 3f815163ff8fdcdbd329680580df36f94e15325d (diff) |
core: imply ProtectHome=read-only and ProtectSystem=strict if DynamicUser=1
Let's make sure that services that use DynamicUser=1 cannot leave files in the
file system should the system accidentally have a world-writable directory
somewhere.
This effectively ensures that directories need to be whitelisted rather than
blacklisted for access when DynamicUser=1 is set.
Diffstat (limited to 'src/core/unit.c')
-rw-r--r-- | src/core/unit.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/src/core/unit.c b/src/core/unit.c index de22f657c6..5d284a359d 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -3377,8 +3377,14 @@ int unit_patch_contexts(Unit *u) { return -ENOMEM; } + /* If the dynamic user option is on, let's make sure that the unit can't leave its UID/GID + * around in the file system or on IPC objects. Hence enforce a strict sandbox. */ + ec->private_tmp = true; ec->remove_ipc = true; + ec->protect_system = PROTECT_SYSTEM_STRICT; + if (ec->protect_home == PROTECT_HOME_NO) + ec->protect_home = PROTECT_HOME_READ_ONLY; } } |