~lukeshu/systemd - Unnamed repository; edit this file 'description' to name the repository.

Age	Commit message (Collapse)	Author
2014-12-09	bus-proxy: cloning smack label	Przemyslaw Kedzierski
	When dbus client connects to systemd-bus-proxyd through Unix domain socket proxy takes client's smack label and sets for itself. It is done before and independent of dropping privileges. The reason of such soluton is fact that tests of access rights performed by lsm may take place inside kernel, not only in userspace of recipient of message. The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label. In case of systemd running in system mode, CAP_MAC_ADMIN should be added to CapabilityBoundingSet in service file of bus-proxyd. In case of systemd running in user mode ('systemd --user') it can be achieved by addition Capabilities=cap_mac_admin=i and SecureBits=keep-caps to user@.service file and setting cap_mac_admin+ei on bus-proxyd binary.
2014-11-28	bus-proxy: automatically detect scope of bus and derive which XML snippets ↵	Lennart Poettering
	to load from that
2014-11-13	sd-bus: sync with kdbus upstream (ABI break)	Daniel Mack
	kdbus has seen a larger update than expected lately, most notably with kdbusfs, a file system to expose the kdbus control files: * Each time a file system of this type is mounted, a new kdbus domain is created. * The layout inside each mount point is the same as before, except that domains are not hierarchically nested anymore. * Domains are therefore also unnamed now. * Unmounting a kdbusfs will automatically also detroy the associated domain. * Hence, the action of creating a kdbus domain is now as privileged as mounting a filesystem. * This way, we can get around creating dev nodes for everything, which is last but not least something that is not limited by 20-bit minor numbers. The kdbus specific bits in nspawn have all been dropped now, as nspawn can rely on the container OS to set up its own kdbus domain, simply by mounting a new instance. A new set of mounts has been added to mount things after the kernel modules have been loaded. For now, only kdbus is in this set, which is invoked with mount_setup_late().
2014-06-10	bus-proxy: read the right policy when running in user mode	Lennart Poettering

2014-06-04	core: rename ReadOnlySystem= to ProtectSystem= and add a third value for ↵	Lennart Poettering
	also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-04	bus-proxy: drop priviliges if we can	Lennart Poettering
	Either become uid/gid of the client we have been forked for, or become the "systemd-bus-proxy" user if the client was root. We retain CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
2014-03-19	core: enable PrivateNetwork= for a number of our long running services where ↵	Lennart Poettering
	this is useful
2014-03-19	units: make use of PrivateTmp=yes and PrivateDevices=yes for all our ↵	Lennart Poettering
	long-running daemons
2013-12-23	units: limit caps for bus proxyd and driverd services	Lennart Poettering

2013-12-21	bus: send status message from proxyd to systemd about client we are working for	Lennart Poettering

2013-12-16	bus: fix typo in systemd-bus-proxyd	Kay Sievers

2013-12-13	bus: install systemd-bus-proxyd unit files for compatibility with dbus1	Lennart Poettering