summaryrefslogtreecommitdiff
path: root/units/systemd-journal-gatewayd.service.in
AgeCommit message (Collapse)Author
2016-09-25units: further lock down our long-running servicesLennart Poettering
Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
2015-12-15journal-remote: add documents in the unit filesYu Watanabe
2015-02-11Revert "units: add SecureBits"Lennart Poettering
This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
2015-02-11units: add SecureBitsTopi Miettinen
No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
2015-01-08journal: bump RLIMIT_NOFILE when journal files to 16K (if possible)Lennart Poettering
When there are a lot of split out journal files, we might run out of fds quicker then we want. Hence: bump RLIMIT_NOFILE to 16K if possible. Do these even for journalctl. On Fedora the soft RLIMIT_NOFILE is at 1K, the hard at 4K by default for normal user processes, this code hence bumps this up for users to 4K. https://bugzilla.redhat.com/show_bug.cgi?id=1179980
2014-06-04core: rename ReadOnlySystem= to ProtectSystem= and add a third value for ↵Lennart Poettering
also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-03core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
2014-03-19core: enable PrivateNetwork= for a number of our long running services where ↵Lennart Poettering
this is useful
2013-03-05journal: make gatewayd run under its own user IDLennart Poettering
2012-09-28journal: add minimal journal gateway daemon based on GNU libmicrohttpdLennart Poettering
This minimal HTTP server can serve journal data via HTTP. Its primary purpose is synchronization of journal data across the network. It serves journal data in three formats: text/plain: the text format known from /var/log/messages application/json: the journal entries formatted as JSON application/vnd.fdo.journal: the binary export format of the journal The HTTP server also serves a small HTML5 app that makes use of the JSON serialization to present the journal data to the user. Examples: This downloads the journal in text format: # systemctl start systemd-journal-gatewayd.service # wget http://localhost:19531/entries Same for JSON: # curl -H"Accept: application/json" http://localhost:19531/entries Access via web browser: $ firefox http://localhost:19531/