diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-06-04 18:07:55 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-06-04 18:12:55 +0200 |
| commit | 1b8689f94983b47bf190e77ddb03a8fc6af15fb3 (patch) | |
| tree | 7bb1324b3b882adaa0b8bf786f8848ccec156a94 /units | |
| parent | 4c02dd7153f970244950b5e00f7bdfea8d2ff0be (diff) | |
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.
With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
Diffstat (limited to 'units')
| -rw-r--r-- | units/systemd-bus-proxyd@.service.in | 4 | ||||
| -rw-r--r-- | units/systemd-hostnamed.service.in | 4 | ||||
| -rw-r--r-- | units/systemd-journal-gatewayd.service.in | 4 | ||||
| -rw-r--r-- | units/systemd-journald.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-localed.service.in | 4 | ||||
| -rw-r--r-- | units/systemd-machined.service.in | 4 | ||||
| -rw-r--r-- | units/systemd-networkd.service.in | 4 | ||||
| -rw-r--r-- | units/systemd-resolved.service.in | 4 | ||||
| -rw-r--r-- | units/systemd-timedated.service.in | 4 | ||||
| -rw-r--r-- | units/systemd-timesyncd.service.in | 4 |
10 files changed, 18 insertions, 20 deletions
diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.in index 3dc2cd9e65..0499269f3d 100644 --- a/units/systemd-bus-proxyd@.service.in +++ b/units/systemd-bus-proxyd@.service.in @@ -18,5 +18,5 @@ CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ReadOnlySystem=yes -ProtectedHome=yes +ProtectSystem=full +ProtectHome=yes diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 497b8d9974..cc88ecd0db 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -18,5 +18,5 @@ WatchdogSec=1min PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ReadOnlySystem=yes -ProtectedHome=yes +ProtectSystem=yes +ProtectHome=yes diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index 3695240cbf..5bd8e4b341 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -17,8 +17,8 @@ SupplementaryGroups=systemd-journal PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ReadOnlySystem=yes -ProtectedHome=yes +ProtectSystem=full +ProtectHome=yes [Install] Also=systemd-journal-gatewayd.socket diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 4a307c708b..70139795a5 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -21,8 +21,6 @@ RestartSec=0 NotifyAccess=all StandardOutput=null CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID -ReadOnlySystem=yes -ProtectedHome=yes WatchdogSec=1min # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index e1792d6546..bfa097844f 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -18,5 +18,5 @@ WatchdogSec=1min PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ReadOnlySystem=yes -ProtectedHome=yes +ProtectSystem=yes +ProtectHome=yes diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 07522e12a4..e60ea32fa0 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -20,5 +20,5 @@ WatchdogSec=1min PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes -ReadOnlySystem=yes -ProtectedHome=yes +PortectSystem=full +ProtectHome=yes diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index a928999205..373ac4e0fd 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -20,8 +20,8 @@ Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-networkd CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER -ReadOnlySystem=yes -ProtectedHome=yes +ProtectSystem=full +ProtectHome=yes WatchdogSec=1min [Install] diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in index 787fde2c44..0133621622 100644 --- a/units/systemd-resolved.service.in +++ b/units/systemd-resolved.service.in @@ -16,8 +16,8 @@ Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-resolved CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER -ReadOnlySystem=yes -ProtectedHome=yes +ProtectSystem=full +ProtectHome=yes [Install] WantedBy=multi-user.target diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 9658149eef..fe5ccb4601 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -16,5 +16,5 @@ BusName=org.freedesktop.timedate1 CapabilityBoundingSet=CAP_SYS_TIME WatchdogSec=1min PrivateTmp=yes -ReadOnlySystem=yes -ProtectedHome=yes +ProtectSystem=yes +ProtectHome=yes diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index 030e4a0423..8d898e2fa7 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -23,8 +23,8 @@ ExecStart=@rootlibexecdir@/systemd-timesyncd CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER PrivateTmp=yes PrivateDevices=yes -ReadOnlySystem=yes -ProtectedHome=yes +ProtectSystem=full +ProtectHome=yes WatchdogSec=1min [Install] |