From 4a77c53d64b91f8e622df7c7dec1579278f1e1ce Mon Sep 17 00:00:00 2001 From: Zbigniew Jędrzejewski-Szmek Date: Sun, 2 Oct 2016 14:51:49 +0200 Subject: NEWS: add another batch of entries --- NEWS | 76 +++++++++++++++++++++++++++++++++++++++++++++++++++++--------------- TODO | 1 + 2 files changed, 61 insertions(+), 16 deletions(-) diff --git a/NEWS b/NEWS index 5f3f76df4f..4a6a07ae18 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,36 @@ CHANGES WITH 232 in spe * The new RemoveIPC= option can be used to remove IPC objects owned by the user or group of a service when that service exits. + * ProtectSystem= option gained a new value "strict", which causes the + whole file system tree with the exception of /dev, /proc, and /sys, + to be remounted read-only for a service. + + The new ProtectedKernelTunables= options can be used to disable + modification of configuration files in /sys and /proc by a service. + Various directories and files are remounted read-only, so access is + restricted even if the file permissions would allow it. + + The new ProtectControlGroups= option can be used to disable write + access by a service to /sys/fs/cgroup. + + * Various systemd services have been hardened with + ProtectKernelTunables=yes, ProtectControlGroups=yes, + RestrictAddressFamilies=. + + In particular, systemd-udevd.service is now run in a Seccomp-based + sandbox that prohibits access to AF_INET and AF_INET6 sockets and + thus access to the network. This might break code that runs from udev + rules that tries to talk to the network. Doing that is generally a + bad idea and unsafe due to a variety of reasons. It's also racy as + device management would race against network configuration. It is + recommended to rework such rules to use the SYSTEMD_WANTS property on + the relevant devices to pull in a proper systemd service (which can + be sandboxed differently and ordered correctly after the network + having come up). If that's not possible consider reverting this + sandboxing feature locally by removing the RestrictAddressFamilies= + setting from the systemd-udevd.service unit file, or adding AF_INET + and AF_INET6 to it. + * Support for dynamically creating users for the lifetime of a service has been added. If DynamicUser=yes is specified, user and group IDs will be allocated from the range 61184..65519 for the lifetime of the @@ -12,7 +42,9 @@ CHANGES WITH 232 in spe module. The module must be enabled in /etc/nsswitch.conf. Services started in this way have PrivateTmp= and RemoveIPC= enabled, so that any resources allocated by the service will be cleaned up when the - service exits. + service exits. They also have ProtectHome=read-only and + ProtectSystem=strict enabled, so they are not able to make any + permanent modifications to the system. The nss-systemd module also always resolves root and nobody, making it possible to have no /etc/passwd or /etc/group files in minimal @@ -54,7 +86,7 @@ CHANGES WITH 232 in spe mount the EFI partition on systems where /boot is used for something else. - * disk/by-id symlinks are now created for NVMe drives. + * disk/by-id and disk/by-path symlinks are now created for NVMe drives. * Two new user session targets have been added to support running graphical sessions under the systemd --user instance: @@ -93,6 +125,9 @@ CHANGES WITH 232 in spe * systemd-run gained a new --wait option that makes service execution synchronous. + systemctl gained a new --wait option that causes the start command to + wait until the units being started have terminated again. + * A new journal output mode "short-full" has been added which uses timestamps with abbreviated English day names and adds a timezone suffix. Those timestamps include more information and can be parsed @@ -106,6 +141,12 @@ CHANGES WITH 232 in spe from a single IP can be limited with MaxConnectionsPerSource=, extending the existing setting of MaxConnections. + * systemd-networkd gained support for vcan ("Virtual CAN") interface + configuration. + + * .netdev and .network configuration can now be extended through + drop-ins. + * UDP Segmentation Offload, TCP Segmentation Offload, Generic Segmentation Offload, Generic Receive Offload, Large Receive Offload can be enabled and disabled using the new UDPSegmentationOffload=, @@ -118,6 +159,10 @@ CHANGES WITH 232 in spe new STP=, Priority=, AgeingTimeSec=, and DefaultPVID= settings in the [Bridge] section of .netdev files. + The route table to which routes received over DHCP or RA should be + added can be configured with the new RouteTable= option in the [DHCP] + and [IPv6AcceptRA] sections of .network files. + Address Resolution Protocol can be disabled on links managed by systemd-networkd using the ARP=no setting in the [Link] section of .network files. @@ -125,11 +170,24 @@ CHANGES WITH 232 in spe * $SERVICE_RESULT, $EXIT_CODE, $EXIT_STATUS are set for ExecStop= and ExecStopPost= commands. + * systemd-sysctl will now configure kernel parameters in the order + they occur in the configuration files. This mathes what sysctl + has been traditionally doing. + + * kernel-install "plugins" that are executed to perform various + tasks after a new kernel is added and before an old one is removed + can now return a special value to terminate the procedure and + prevent any later plugins from running. + * Journald's SplitMode=login setting has been deprecated. It has been removed from documentation, and it's use is discouraged. In a future release it will be completely removed, and made equivalent to current default of SplitMode=uid. + * Storage=both option setting in /etc/systemd/coredump.conf has been + removed. With fast LZ4 compression storing the core dump twice is not + useful. + * The --share-system systemd-nspawn option has been replaced with an (undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of this functionality is discouraged. In addition the variables @@ -137,20 +195,6 @@ CHANGES WITH 232 in spe $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of individual namespaces. - * systemd-udevd.service is now run in a Seccomp-based sandbox that - prohibits access to AF_INET and AF_INET6 sockets and thus access to - the network. This might break code that runs from udev rules that - tries to talk to the network. Doing that is generally a bad idea and - unsafe due to a variety of reasons. It's also racy as device - management would race against network configuration. It is - recommended to rework such rules to use the SYSTEMD_WANTS property on - the relevant devices to pull in a proper systemd service (which can - be sandboxed differently and ordered correctly after the network - having come up). If that's not possible consider reverting this - sandboxing feature locally by removing the RestrictAddressFamilies= - setting from the systemd-udevd.service unit file, or adding AF_INET - and AF_INET6 to it. - CHANGES WITH 231: * In service units the various ExecXYZ= settings have been extended diff --git a/TODO b/TODO index ff9e9be9fb..f215a4944b 100644 --- a/TODO +++ b/TODO @@ -821,6 +821,7 @@ Features: or interface down - some servers don't do rapid commit without a filled in IA_NA, verify this behavior + - RouteTable= ? External: -- cgit v1.2.3-54-g00ecf