From 417116f23432073162ebfcb286a7800846482eed Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 3 Jun 2014 23:41:44 +0200
Subject: core: add new ReadOnlySystem= and ProtectedHome= settings for service
 units

ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
---
 units/systemd-resolved.service.in | 2 ++
 1 file changed, 2 insertions(+)

(limited to 'units/systemd-resolved.service.in')

diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in
index 9d422ca7f2..787fde2c44 100644
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -16,6 +16,8 @@ Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-resolved
 CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+ReadOnlySystem=yes
+ProtectedHome=yes
 
 [Install]
 WantedBy=multi-user.target
-- 
cgit v1.2.3-54-g00ecf