Age | Commit message (Collapse) | Author |
|
|
|
|
|
Now that we properly exclude autofs mounts from ProtectSystem= we can
include it in the effect of ProtectSystem= again.
|
|
|
|
Instead of blindly creating another bind mount for read-only mounts,
check if there's already one we can use, and if so, use it. Also,
recursively mark all submounts read-only too. Also, ignore autofs mounts
when remounting read-only unless they are already triggered.
|
|
/root can't really be autofs, and is also a home, directory, so cover it
with ProtectHome=.
|
|
everything below
This has the benefit of not triggering any autofs mount points
unnecessarily.
|
|
|
|
|
|
Restart=on-abnormal is similar to Restart=on-failure, but avoids
restarts on unclean exit codes (but still doing restarts on all
obviously unclean exits, such as timeouts, signals, coredumps, watchdog
timeouts).
Also see:
https://fedorahosted.org/fpc/ticket/191
|
|
|
|
sd_pid_notify() operates like sd_notify(), however operates on a
different PID (for example the parent PID of a process).
Make use of this in systemd-notify, so that message are sent from the
PID specified with --pid= rather than the usually shortlived PID of
systemd-notify itself.
This should increase the likelyhood that PID 1 can identify the cgroup
that the notification message was sent from properly.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
It's not safe invoking NSS from PID 1, hence fork off worker processes
that upload the policy into the kernel for busnames.
|
|
This would otherwise unconditionally trigger any /boot autofs mount,
which we probably should avoid.
ProtectSystem= will now only cover /usr and (optionally) /etc, both of
which cannot be autofs anyway.
ProtectHome will continue to cover /run/user and /home. The former
cannot be autofs either. /home could be, however is frequently enough
used (unlikey /boot) so that it isn't too problematic to simply trigger
it unconditionally via ProtectHome=.
|
|
system
This is relatively complex, as we cannot invoke NSS from PID 1, and thus
need to fork a helper process temporarily.
|
|
|
|
-Wdate-time isn't known to clang, and it seems to cause errors in
syntastic.
|
|
Otherwise .netwrok matching on MAC address will not work.
Based on patch by Dave Reisner, and bug originally reported by Max Pray.
|
|
|
|
also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.
With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
|
|
|
|
systemd fails to build (symbols not found/resolved during cgls link step)
under gcc-4.9.0 due to link-time optimization (lto) changes, in particular
from gcc-4.9.0/NEWS:
+ When using a linker plugin, compiling with the -flto option
now generates slim objects files (.o) which only contain
intermediate language representation for LTO. Use
-ffat-lto-objects to create files which contain additionally
the object code. To generate static libraries suitable for LTO
processing, use gcc-ar and gcc-ranlib; to list symbols from a
slim object file use gcc-nm. (Requires that ar, ranlib and nm
have been compiled with plugin support.)
Both -flto and -ffat-lto-objects are now needed when building and linking
against static libs w/LTO.
|
|
|
|
|
|
Now that we moved the actual syslog socket to
/run/systemd/journal/dev-log we can actually make /dev/log a symlink to
it, when PrivateDevices= is used, thus making syslog available to
services using PrivateDevices=.
|
|
With this change we have no fifos/sockets remaining in /dev.
|
|
This way we can make the socket also available for sandboxed apps that
have their own private /dev. They can now simply symlink the socket from
/dev.
|
|
|
|
With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO
nodes in the file system, with the same lifecycle as the socket itself.
This has two benefits: first, this allows us to remove /dev/log and
/dev/initctl from /dev, thus leaving only symlinks, device nodes and
directories in the /dev tree. More importantly however, this allows us
to move /dev/log out of /dev, while still making it accessible there, so
that PrivateDevices= can provide /dev/log too.
|
|
The kernel will return 0 for REREADPT when no partition table
is found, we have to send out "change" ourselves.
|
|
|
|
mounted partitions:
# dd if=/dev/zero of=/dev/sda bs=1 count=1
UDEV [4157.369250] change .../0:0:0:0/block/sda (block)
UDEV [4157.375059] change .../0:0:0:0/block/sda/sda1 (block)
UDEV [4157.397088] change .../0:0:0:0/block/sda/sda2 (block)
UDEV [4157.404842] change .../0:0:0:0/block/sda/sda4 (block)
unmounted partitions:
# dd if=/dev/zero of=/dev/sdb bs=1 count=1
UDEV [4163.450217] remove .../target6:0:0/6:0:0:0/block/sdb/sdb1 (block)
UDEV [4163.593167] change .../target6:0:0/6:0:0:0/block/sdb (block)
UDEV [4163.713982] add .../target6:0:0/6:0:0:0/block/sdb/sdb1 (block)
|
|
|
|
Reported by Kay.
|
|
This should make sure that fdisk-like programs will automatically
cause an update of all partitions, just like mkfs-like programs cause
an update of the partition.
|
|
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=79576#c5
|
|
|
|
Either become uid/gid of the client we have been forked for, or become
the "systemd-bus-proxy" user if the client was root. We retain
CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
|
|
logind needs access to /run/user/, udevd fails during early boot
with these settings
|
|
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
|
|
Configuration will be in
root:root /run/systemd/network
and state will be in
systemd-network:systemd-network /run/systemd/netif
This matches what we do for logind's seat/session state.
|
|
|
|
|