summaryrefslogtreecommitdiff
path: root/TODO
AgeCommit message (Collapse)Author
2016-11-08Merge pull request #4536 from poettering/seccomp-namespacesZbigniew Jędrzejewski-Szmek
core: add new RestrictNamespaces= unit file setting Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.
2016-11-05Drop FOREACH_WORD_QUOTEDZbigniew Jędrzejewski-Szmek
2016-11-04core: add new RestrictNamespaces= unit file settingLennart Poettering
This new setting permits restricting whether namespaces may be created and managed by processes started by a unit. It installs a seccomp filter blocking certain invocations of unshare(), clone() and setns(). RestrictNamespaces=no is the default, and does not restrict namespaces in any way. RestrictNamespaces=yes takes away the ability to create or manage any kind of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces so that only mount and IPC namespaces may be created/managed, but no other kind of namespaces. This setting should be improve security quite a bit as in particular user namespacing was a major source of CVEs in the kernel in the past, and is accessible to unprivileged processes. With this setting the entire attack surface may be removed for system services that do not make use of namespaces.
2016-11-02update TODOLennart Poettering
2016-10-20update TODOLennart Poettering
2016-10-12update TODOLennart Poettering
2016-10-11Merge pull request #4067 from poettering/invocation-idZbigniew Jędrzejewski-Szmek
Add an "invocation ID" concept to the service manager
2016-10-10update TODOLennart Poettering
2016-10-07update TODOLennart Poettering
2016-10-06update TODOLennart Poettering
2016-10-03NEWS: add another batch of entriesZbigniew Jędrzejewski-Szmek
2016-10-01core: complain if Before= dep on .device is declaredZbigniew Jędrzejewski-Szmek
[Unit] Before=foobar.device [Service] ExecStart=/bin/true Type=oneshot $ systemd-analyze verify before-device.service before-device.service: Dependency Before=foobar.device ignored (.device units cannot be delayed)
2016-09-28coredump,catalog: give better notice when a core file is truncatedZbigniew Jędrzejewski-Szmek
coredump had code to check if copy_bytes() hit the max_bytes limit, and refuse further processing in that case. But in 84ee0960443, the return convention for copy_bytes() was changed from -EFBIG to 1 for the case when the limit is hit, so the condition check in coredump couldn't ever trigger. But it seems that *do* want to process such truncated cores [1]. So change the code to detect truncation properly, but instead of returning an error, give a nice log entry. [1] https://github.com/systemd/systemd/issues/3883#issuecomment-239106337 Should fix (or at least alleviate) #3883.
2016-09-25Update TODOLennart Poettering
2016-09-15TODO: update networkd TODOSusant Sahani
2016-09-13TODO: remove duplicated itemZbigniew Jędrzejewski-Szmek
2016-09-13Always use unicode ellipsis when ellipsizingZbigniew Jędrzejewski-Szmek
We were already unconditionally using the unicode character when the input string was not pure ASCII, leading to different behaviour in depending on the input string. systemd[1]: Starting printit.service. python3[19962]: foooooooooooooooooooooooooooooooooooo…oooo python3[19964]: fooąęoooooooooooooooooooooooooooooooo…oooo python3[19966]: fooąęoooooooooooooooooooooooooooooooo…ąęąę python3[19968]: fooąęoooooooooooooooooąęąęąęąęąęąęąęą…ąęąę systemd[1]: Started printit.service.
2016-09-13TODO: remove strerror entryZbigniew Jędrzejewski-Szmek
I believe the remaining call sites are legitimate uses which cannot be easily replaced with %m.
2016-08-31machinectl: split OS field in two; print ip addresses (#4058)Seraphime Kirkovski
This splits the OS field in two : one for the distribution name and one for the the version id. Dashes are written for missing fields. This also prints ip addresses of known machines. The `--max-addresses` option specifies how much ip addresses we want to see. The default is 1. When more than one address is written for a machine, a `,` follows it. If there are more ips than `--max-addresses`, `...` follows the last address.
2016-08-22update TODOLennart Poettering
2016-08-06Merge pull request #3884 from poettering/private-usersZbigniew Jędrzejewski-Szmek
2016-08-04update TODOLennart Poettering
2016-08-03update TODOLennart Poettering
2016-07-22update TODOLennart Poettering
2016-07-21update TODOLennart Poettering
2016-07-11treewide: fix typos and remove accidental repetition of wordsTorstein Husebø
2016-07-01calendarspec: allow ranges in date and time specificationsDouglas Christman
Resolves #3042
2016-07-01update TODOLennart Poettering
2016-06-24updateLennart Poettering
2016-06-24systemctl: Create new unit files with "edit --force" (#3584)Doug Christman
2016-06-16update TODOLennart Poettering
2016-06-14update TODOLennart Poettering
2016-06-13update TODOLennart Poettering
2016-06-10update TODOLennart Poettering
2016-06-10update TODOLennart Poettering
2016-05-30update TODOLennart Poettering
2016-05-12update TODOLennart Poettering
2016-05-09update TODOLennart Poettering
2016-05-06NEWS: bring NEWS a bit up-to-dateLennart Poettering
2016-05-05Merge pull request #3190 from poettering/logind-fixesZbigniew Jędrzejewski-Szmek
2016-05-05update TODOLennart Poettering
2016-05-05update TODOLennart Poettering
2016-05-03Merge pull request #3173 from poettering/dnssec-incapdns-fixZbigniew Jędrzejewski-Szmek
Dnssec incapdns fix
2016-05-02update TODOLennart Poettering
2016-05-02update TODOLennart Poettering
2016-04-29update TODOLennart Poettering
2016-04-29update TODO a bitLennart Poettering
2016-04-22update TODOLennart Poettering
2016-04-21tree-wide: use mdash instead of a two minusesZbigniew Jędrzejewski-Szmek
2016-04-12update TODOLennart Poettering
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2025-02-16 23:53:26 +0000