From ec8927ca5940e809f0b72f530582c76f1db4f065 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 24 May 2012 04:00:56 +0200
Subject: main: add configuration option to alter capability bounding set for
 PID 1

This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway.
---
 src/core/system.conf | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

(limited to 'src/core/system.conf')

diff --git a/src/core/system.conf b/src/core/system.conf
index 2b14d3e31e..7b9171b803 100644
--- a/src/core/system.conf
+++ b/src/core/system.conf
@@ -24,3 +24,20 @@
 #JoinControllers=cpu,cpuacct
 #RuntimeWatchdogSec=0
 #ShutdownWatchdogSec=10min
+#CapabilityBoundingSet=
+#DefaultLimitCPU=
+#DefaultLimitFSIZE=
+#DefaultLimitDATA=
+#DefaultLimitSTACK=
+#DefaultLimitCORE=
+#DefaultLimitRSS=
+#DefaultLimitNOFILE=
+#DefaultLimitAS=
+#DefaultLimitNPROC=
+#DefaultLimitMEMLOCK=
+#DefaultLimitLOCKS=
+#DefaultLimitSIGPENDING=
+#DefaultLimitMSGQUEUE=
+#DefaultLimitNICE=
+#DefaultLimitRTPRIO=
+#DefaultLimitRTTIME=
-- 
cgit v1.2.3-54-g00ecf