diff options
Diffstat (limited to 'units')
| -rw-r--r-- | units/emergency.service.in | 2 | ||||
| -rw-r--r-- | units/getty@.service.m4 | 6 | ||||
| -rw-r--r-- | units/rescue.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-ask-password-console.path | 2 | ||||
| -rw-r--r-- | units/systemd-ask-password-wall.path | 2 | ||||
| -rw-r--r-- | units/systemd-hostnamed.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-importd.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-journald.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-localed.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-logind.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-machined.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-networkd.service.m4.in | 2 | ||||
| -rw-r--r-- | units/systemd-nspawn@.service.in | 11 | ||||
| -rw-r--r-- | units/systemd-resolved.service.m4.in | 4 | ||||
| -rw-r--r-- | units/systemd-timedated.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-timesyncd.service.in | 2 | ||||
| -rw-r--r-- | units/systemd-udevd.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-vconsole-setup.service.in | 3 | ||||
| -rw-r--r-- | units/tmp.mount.m4 | 2 | ||||
| -rw-r--r-- | units/user/graphical-session-pre.target | 14 | ||||
| -rw-r--r-- | units/user/graphical-session.target | 13 |
21 files changed, 62 insertions, 18 deletions
diff --git a/units/emergency.service.in b/units/emergency.service.in index 0de16f24e8..da68eb8faa 100644 --- a/units/emergency.service.in +++ b/units/emergency.service.in @@ -18,7 +18,7 @@ Before=shutdown.target Environment=HOME=/root WorkingDirectory=-/root ExecStartPre=-/bin/plymouth --wait quit -ExecStartPre=-/bin/echo -e 'Welcome to emergency mode! After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\ntry again to boot into default mode.' +ExecStartPre=-/bin/echo -e 'You are in emergency mode. After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\ntry again to boot into default mode.' ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --job-mode=fail --no-block default" Type=idle StandardInput=tty-force diff --git a/units/getty@.service.m4 b/units/getty@.service.m4 index 46164ab9d8..5b82c13fc5 100644 --- a/units/getty@.service.m4 +++ b/units/getty@.service.m4 @@ -20,6 +20,12 @@ After=rc-local.service Before=getty.target IgnoreOnIsolate=yes +# IgnoreOnIsolate causes issues with sulogin, if someone isolates +# rescue.target or starts rescue.service from multi-user.target or +# graphical.target. +Conflicts=rescue.service +Before=rescue.service + # On systems without virtual consoles, don't start any getty. Note # that serial gettys are covered by serial-getty@.service, not this # unit. diff --git a/units/rescue.service.in b/units/rescue.service.in index ecf96bc211..5feff69c89 100644 --- a/units/rescue.service.in +++ b/units/rescue.service.in @@ -17,7 +17,7 @@ Before=shutdown.target Environment=HOME=/root WorkingDirectory=-/root ExecStartPre=-/bin/plymouth --wait quit -ExecStartPre=-/bin/echo -e 'Welcome to rescue mode! After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\nboot into default mode.' +ExecStartPre=-/bin/echo -e 'You are in rescue mode. After logging in, type "journalctl -xb" to view\\nsystem logs, "systemctl reboot" to reboot, "systemctl default" or ^D to\\nboot into default mode.' ExecStart=-/bin/sh -c "@SULOGIN@; @SYSTEMCTL@ --job-mode=fail --no-block default" Type=idle StandardInput=tty-force diff --git a/units/systemd-ask-password-console.path b/units/systemd-ask-password-console.path index 2949635fea..7899ae788f 100644 --- a/units/systemd-ask-password-console.path +++ b/units/systemd-ask-password-console.path @@ -11,7 +11,7 @@ Documentation=man:systemd-ask-password-console.service(8) DefaultDependencies=no Conflicts=shutdown.target After=plymouth-start.service -Before=paths.target shutdown.target +Before=paths.target shutdown.target cryptsetup.target ConditionPathExists=!/run/plymouth/pid [Path] diff --git a/units/systemd-ask-password-wall.path b/units/systemd-ask-password-wall.path index 95ec9bc8a0..a3ca617256 100644 --- a/units/systemd-ask-password-wall.path +++ b/units/systemd-ask-password-wall.path @@ -10,7 +10,7 @@ Description=Forward Password Requests to Wall Directory Watch Documentation=man:systemd-ask-password-console.service(8) DefaultDependencies=no Conflicts=shutdown.target -Before=paths.target shutdown.target +Before=paths.target shutdown.target cryptsetup.target [Path] DirectoryNotEmpty=/run/systemd/ask-password diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index b7079e4a7c..0b03a589ea 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -20,3 +20,5 @@ PrivateDevices=yes PrivateNetwork=yes ProtectSystem=yes ProtectHome=yes +MemoryDenyWriteExecute=yes +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io diff --git a/units/systemd-importd.service.in b/units/systemd-importd.service.in index b74ad72cdc..0f5489e7e3 100644 --- a/units/systemd-importd.service.in +++ b/units/systemd-importd.service.in @@ -17,3 +17,5 @@ CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD CAP_SETFCAP CAP_ NoNewPrivileges=yes WatchdogSec=3min KillMode=mixed +MemoryDenyWriteExecute=yes +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 41bfde5be3..08ace8ae44 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -24,6 +24,8 @@ StandardOutput=null CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID CAP_MAC_OVERRIDE WatchdogSec=3min FileDescriptorStoreMax=1024 +MemoryDenyWriteExecute=yes +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io # Increase the default a bit in order to allow many simultaneous # services being run since we keep one fd open per service. Also, when diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 9b13f901a3..1f3151c2b5 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -20,3 +20,5 @@ PrivateDevices=yes PrivateNetwork=yes ProtectSystem=yes ProtectHome=yes +MemoryDenyWriteExecute=yes +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index ff049134ee..bee08d011f 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -25,6 +25,8 @@ RestartSec=0 BusName=org.freedesktop.login1 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_SYS_TTY_CONFIG WatchdogSec=3min +MemoryDenyWriteExecute=yes +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io # Increase the default a bit in order to allow many simultaneous # logins since we keep one fd open per session. diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index 685baab21d..dcf9f347b7 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -17,6 +17,8 @@ ExecStart=@rootlibexecdir@/systemd-machined BusName=org.freedesktop.machine1 CapabilityBoundingSet=CAP_KILL CAP_SYS_PTRACE CAP_SYS_ADMIN CAP_SETGID CAP_SYS_CHROOT CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_MKNOD WatchdogSec=3min +MemoryDenyWriteExecute=yes +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-networkd.service.m4.in b/units/systemd-networkd.service.m4.in index 27d4d58962..38d967d2d1 100644 --- a/units/systemd-networkd.service.m4.in +++ b/units/systemd-networkd.service.m4.in @@ -31,6 +31,8 @@ CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_N ProtectSystem=full ProtectHome=yes WatchdogSec=3min +MemoryDenyWriteExecute=yes +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io [Install] WantedBy=multi-user.target diff --git a/units/systemd-nspawn@.service.in b/units/systemd-nspawn@.service.in index ea28941507..c8141639b6 100644 --- a/units/systemd-nspawn@.service.in +++ b/units/systemd-nspawn@.service.in @@ -20,20 +20,13 @@ RestartForceExitStatus=133 SuccessExitStatus=133 Slice=machine.slice Delegate=yes -TasksMax=8192 +TasksMax=16384 # Enforce a strict device policy, similar to the one nspawn configures # when it allocates its own scope unit. Make sure to keep these # policies in sync if you change them! -DevicePolicy=strict -DeviceAllow=/dev/null rwm -DeviceAllow=/dev/zero rwm -DeviceAllow=/dev/full rwm -DeviceAllow=/dev/random rwm -DeviceAllow=/dev/urandom rwm -DeviceAllow=/dev/tty rwm +DevicePolicy=closed DeviceAllow=/dev/net/tun rwm -DeviceAllow=/dev/pts/ptmx rw DeviceAllow=char-pts rw # nspawn itself needs access to /dev/loop-control and /dev/loop, to diff --git a/units/systemd-resolved.service.m4.in b/units/systemd-resolved.service.m4.in index 8e1c1dea79..15ab56a066 100644 --- a/units/systemd-resolved.service.m4.in +++ b/units/systemd-resolved.service.m4.in @@ -23,10 +23,12 @@ Type=notify Restart=always RestartSec=0 ExecStart=@rootlibexecdir@/systemd-resolved -CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_NET_RAW CAP_NET_BIND_SERVICE ProtectSystem=full ProtectHome=yes WatchdogSec=3min +MemoryDenyWriteExecute=yes +SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io [Install] WantedBy=multi-user.target diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 0c9599db20..bc1795d747 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -18,3 +18,5 @@ WatchdogSec=3min PrivateTmp=yes ProtectSystem=yes ProtectHome=yes +MemoryDenyWriteExecute=yes +SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index a856dad709..df1e339196 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -28,6 +28,8 @@ PrivateDevices=yes ProtectSystem=full ProtectHome=yes WatchdogSec=3min +MemoryDenyWriteExecute=yes +SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io [Install] WantedBy=sysinit.target diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index 79f28c87c6..67e4c5fcd7 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -24,3 +24,4 @@ ExecStart=@rootlibexecdir@/systemd-udevd MountFlags=slave KillMode=mixed WatchdogSec=3min +TasksMax=infinity diff --git a/units/systemd-vconsole-setup.service.in b/units/systemd-vconsole-setup.service.in index 6160361871..2bd1fd1a5d 100644 --- a/units/systemd-vconsole-setup.service.in +++ b/units/systemd-vconsole-setup.service.in @@ -9,11 +9,8 @@ Description=Setup Virtual Console Documentation=man:systemd-vconsole-setup.service(8) man:vconsole.conf(5) DefaultDependencies=no -Conflicts=shutdown.target -Before=sysinit.target shutdown.target ConditionPathExists=/dev/tty0 [Service] Type=oneshot -RemainAfterExit=yes ExecStart=@rootlibexecdir@/systemd-vconsole-setup diff --git a/units/tmp.mount.m4 b/units/tmp.mount.m4 index 1448bd268a..0baecfd22f 100644 --- a/units/tmp.mount.m4 +++ b/units/tmp.mount.m4 @@ -19,4 +19,4 @@ After=swap.target What=tmpfs Where=/tmp Type=tmpfs -Options=mode=1777,strictatime +Options=mode=1777,strictatime,nosuid,nodev diff --git a/units/user/graphical-session-pre.target b/units/user/graphical-session-pre.target new file mode 100644 index 0000000000..86d15aff33 --- /dev/null +++ b/units/user/graphical-session-pre.target @@ -0,0 +1,14 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Session services which should run early before the graphical session is brought up +Documentation=man:systemd.special(7) +Requires=basic.target +Before=graphical-session.target +RefuseManualStart=yes +StopWhenUnneeded=yes diff --git a/units/user/graphical-session.target b/units/user/graphical-session.target new file mode 100644 index 0000000000..00d16230b7 --- /dev/null +++ b/units/user/graphical-session.target @@ -0,0 +1,13 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Current graphical user session +Documentation=man:systemd.special(7) +Requires=basic.target +RefuseManualStart=yes +StopWhenUnneeded=yes |