summaryrefslogtreecommitdiff
path: root/units/systemd-journald.service.in
AgeCommit message (Collapse)Author
2014-10-22journald: add CAP_MAC_OVERRIDE in journald for SMACK issueJuho Son
systemd-journald check the cgroup id to support rate limit option for every messages. so journald should be available to access cgroup node in each process send messages to journald. In system using SMACK, cgroup node in proc is assigned execute label as each process's execute label. so if journald don't want to denied for every process, journald should have all of access rule for all process's label. It's too heavy. so we could give special smack label for journald te get all accesses's permission. '^' label. When assign '^' execute smack label to systemd-journald, systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege. so I want to notice this information and set default capability to journald whether system use SMACK or not. because that capability affect to only smack enabled kernel
2014-06-04core: rename ReadOnlySystem= to ProtectSystem= and add a third value for ↵Lennart Poettering
also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-04journald: move /dev/log socket to /runLennart Poettering
This way we can make the socket also available for sandboxed apps that have their own private /dev. They can now simply symlink the socket from /dev.
2014-06-03core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
2013-12-11journald: port to sd-event and enable watchdog supportLennart Poettering
2012-09-03journal: don't pull in flush service from journald serviceLennart Poettering
In the initrd we don't need the flush service hence don't attempt to pull it in.
2012-09-03unit: make sure structured logging is available before we enter the main ↵Lennart Poettering
boot phase
2012-07-18units: don't enforce a holdoff time for journald, logind, udevdLennart Poettering
These services should be restarted as quickly as possible if they fail, and the extra safety net of the holdoff time is not necessary.
2012-07-11journal: replace implicit flushing of journal by explicit oneLennart Poettering
The old automatism that the flushing of the journal from /run to /var was triggered by the appearance of /var/log/journal is broken if that directory is mounted from another host and hence always available to be useful as mount point. To avoid probelsm with this, introduce a new unit that is explicitly orderer after all mounte files systems and triggers the flushing.
2012-06-28units: automatically respawn the core servicesLennart Poettering
2012-06-01units: fix man sectionLennart Poettering
2012-06-01man: document systemd-journalLennart Poettering
2012-05-21units: introduce new Documentation= field and make use of it everywhereLennart Poettering
This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them.
2012-04-12relicense to LGPLv2.1 (with exceptions)Lennart Poettering
We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
2012-02-10journal: add CAP_SETUID and CAP_SETGID to capabilities for journald, so that ↵Lennart Poettering
we can fake SCM_CREDENTIALS
2012-02-09journal: limit caps we pass to journaldLennart Poettering
2012-01-06journald: start the journal after the syslog socket, so that the syslog ↵Lennart Poettering
socket queues syslog messages from early boot on
2011-12-30journal: add unit files and shared library glueLennart Poettering