1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-25 23:21:33 +03:00
Commit Graph

17 Commits

Author SHA1 Message Date
Lennart Poettering
bff8f2543b units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
2017-09-14 19:45:40 +02:00
Yu Watanabe
debe5d2376 unit: remove redundant options 2017-08-08 12:17:12 +09:00
Yu Watanabe
b7f2d0ba24 units,sysusers: use DynamicUser= for journal-gatewayd and drop user systemd-journal-gateway from sysusers 2017-07-28 13:37:10 +09:00
Lennart Poettering
b6c7278c38 units: turn on ProtectKernelModules= for most long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
c7fb922d62 units: switch on ProtectSystem=strict for our long running services
Let's step up the protection a notch
2017-02-09 16:12:03 +01:00
Lennart Poettering
3c19d0b46b units: restrict namespace for a good number of our own services
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"
2017-02-09 16:12:03 +01:00
Lennart Poettering
7f396e5f66 units: set SystemCallArchitectures=native on all our long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
0c28d51ac8 units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.

Specifically:

- Turn on RestrictRealtime=yes for all of them

- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
  them

- Turn on RestrictAddressFamilies= for all of them, but different sets of
  address families for each

Also, always order settings in the unit files, that the various sandboxing
features are close together.

Add a couple of missing, older settings for a numbre of unit files.

Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
2016-09-25 10:52:57 +02:00
Yu Watanabe
c9d493281d journal-remote: add documents in the unit files 2015-12-15 10:51:12 +09:00
Lennart Poettering
a24111cea6 Revert "units: add SecureBits"
This reverts commit 6a716208b3.

Apparently this doesn't work.

http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
2015-02-11 18:28:06 +01:00
Topi Miettinen
6a716208b3 units: add SecureBits
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
2015-02-11 17:33:36 +01:00
Lennart Poettering
de45d72603 journal: bump RLIMIT_NOFILE when journal files to 16K (if possible)
When there are a lot of split out journal files, we might run out of fds
quicker then we want. Hence: bump RLIMIT_NOFILE to 16K if possible.

Do these even for journalctl. On Fedora the soft RLIMIT_NOFILE is at 1K,
the hard at 4K by default for normal user processes, this code hence
bumps this up for users to 4K.

https://bugzilla.redhat.com/show_bug.cgi?id=1179980
2015-01-08 03:20:45 +01:00
Lennart Poettering
1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
2014-06-04 18:12:55 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
2014-06-03 23:57:51 +02:00
Lennart Poettering
f21a71a907 core: enable PrivateNetwork= for a number of our long running services where this is useful 2014-03-19 23:25:28 +01:00
Lennart Poettering
37495eede9 journal: make gatewayd run under its own user ID 2013-03-05 19:15:31 +01:00
Lennart Poettering
7b17a7d72f journal: add minimal journal gateway daemon based on GNU libmicrohttpd
This minimal HTTP server can serve journal data via HTTP. Its primary
purpose is synchronization of journal data across the network. It serves
journal data in three formats:

       text/plain: the text format known from /var/log/messages
       application/json: the journal entries formatted as JSON
       application/vnd.fdo.journal: the binary export format of the journal

The HTTP server also serves a small HTML5 app that makes use of the JSON
serialization to present the journal data to the user.

Examples:

This downloads the journal in text format:

 # systemctl start systemd-journal-gatewayd.service
 # wget http://localhost:19531/entries

Same for JSON:

 # curl -H"Accept: application/json" http://localhost:19531/entries

Access via web browser:

 $ firefox http://localhost:19531/
2012-09-28 00:55:24 +02:00