summaryrefslogtreecommitdiff
path: root/src/core/execute.c
AgeCommit message (Expand)Author
2016-11-08core: on DynamicUser= make sure that protecting sensitive paths is enforced (...Djalal Harouni
2016-11-08Merge pull request #4536 from poettering/seccomp-namespacesZbigniew Jędrzejewski-Szmek
2016-11-07Rename formats-util.h to format-util.hZbigniew Jędrzejewski-Szmek
2016-11-04core: add new RestrictNamespaces= unit file settingLennart Poettering
2016-11-03Merge pull request #4510 from keszybz/tree-wide-cleanupsLennart Poettering
2016-11-03core: intialize user aux groups and SupplementaryGroups= when DynamicUser= is...Djalal Harouni
2016-11-02Merge pull request #4483 from poettering/exec-orderLennart Poettering
2016-11-02core: initialize groups list before checking SupplementaryGroups= of a unit (...Djalal Harouni
2016-11-02execute: apply seccomp filters after changing selinux/aa/smack contextsLennart Poettering
2016-10-28Merge pull request #4495 from topimiettinen/block-shmat-execDjalal Harouni
2016-10-27core: make unit argument const for apply seccomp functionsDjalal Harouni
2016-10-27core: lets apply working directory just after mount namespacesDjalal Harouni
2016-10-27core: get the working directory value inside apply_working_directory()Djalal Harouni
2016-10-27core: move apply working directory code into its own apply_working_directory()Djalal Harouni
2016-10-27core: move the code that setups namespaces on its own functionDjalal Harouni
2016-10-26seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecuteTopi Miettinen
2016-10-24seccomp: add new helper call seccomp_load_filter_set()Lennart Poettering
2016-10-24seccomp: add new seccomp_init_conservative() helperLennart Poettering
2016-10-24core: rework apply_protect_kernel_modules() to use seccomp_add_syscall_filter...Lennart Poettering
2016-10-24core: rework syscall filter set handlingLennart Poettering
2016-10-24core: move misplaced comment to the right placeLennart Poettering
2016-10-24core: simplify skip_seccomp_unavailable() a bitLennart Poettering
2016-10-24core: do not assert when sysconf(_SC_NGROUPS_MAX) fails (#4466)Djalal Harouni
2016-10-23core: lets move the setup of working directory before group enforceDjalal Harouni
2016-10-23core: first lookup and cache creds then apply them after namespace setupDjalal Harouni
2016-10-23tree-wide: drop NULL sentinel from strjoinZbigniew Jędrzejewski-Szmek
2016-10-17core/exec: add a named-descriptor option ("fd") for streams (#4179)Luca Bruno
2016-10-16tree-wide: use mfree moreZbigniew Jędrzejewski-Szmek
2016-10-12core: make sure to dump ProtectKernelModules= valueDjalal Harouni
2016-10-12core: check protect_kernel_modules and private_devices in order to setup NNPDjalal Harouni
2016-10-12core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules=Djalal Harouni
2016-10-12core:sandbox: Add ProtectKernelModules= optionDjalal Harouni
2016-10-11core: chown() any TTY used for stdin, not just when StandardInput=tty is used...Lennart Poettering
2016-10-07core: add "invocation ID" concept to service managerLennart Poettering
2016-10-06user-util: rework maybe_setgroups() a bitLennart Poettering
2016-10-06core: leave PAM stub process around with GIDs updatedLennart Poettering
2016-10-06core: do not fail in a container if we can't use setgroupsGiuseppe Scrivano
2016-10-04tree-wide: remove consecutive duplicate words in commentsStefan Schweter
2016-09-25core: Use @raw-io syscall group to filter I/O syscalls when PrivateDevices= i...Djalal Harouni
2016-09-25execute: move SMACK setup code into its own functionLennart Poettering
2016-09-25execute: filter low-level I/O syscalls if PrivateDevices= is setLennart Poettering
2016-09-25execute: drop group priviliges only after setting up namespaceLennart Poettering
2016-09-25execute: if RuntimeDirectory= is set, it should be writableLennart Poettering
2016-09-25execute: move suppression of HOME=/ and SHELL=/bin/nologin into user-util.cLennart Poettering
2016-09-25execute: split out creation of runtime dirs into its own functionsLennart Poettering
2016-09-25core: add two new service settings ProtectKernelTunables= and ProtectControlG...Lennart Poettering
2016-09-25core: enforce seccomp for secondary archs too, for all rulesLennart Poettering
2016-09-06seccomp: also detect if seccomp filtering is enabledFelipe Sateler
2016-08-22core: do not fail at step SECCOMP if there is no kernel support (#4004)Felipe Sateler
2016-08-19core: bypass dynamic user lookups from dbus-daemonLennart Poettering
generated by cgit v1.2.3-54-g00ecf (git 2.45.2) at 2024-11-15 02:25:53 +0000