1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 17:51:22 +03:00
Commit Graph

10 Commits

Author SHA1 Message Date
Lennart Poettering
0c28d51ac8 units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.

Specifically:

- Turn on RestrictRealtime=yes for all of them

- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
  them

- Turn on RestrictAddressFamilies= for all of them, but different sets of
  address families for each

Also, always order settings in the unit files, that the various sandboxing
features are close together.

Add a couple of missing, older settings for a numbre of unit files.

Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
2016-09-25 10:52:57 +02:00
Yu Watanabe
c9d493281d journal-remote: add documents in the unit files 2015-12-15 10:51:12 +09:00
Lennart Poettering
a24111cea6 Revert "units: add SecureBits"
This reverts commit 6a716208b3.

Apparently this doesn't work.

http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
2015-02-11 18:28:06 +01:00
Topi Miettinen
6a716208b3 units: add SecureBits
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
2015-02-11 17:33:36 +01:00
Lennart Poettering
de45d72603 journal: bump RLIMIT_NOFILE when journal files to 16K (if possible)
When there are a lot of split out journal files, we might run out of fds
quicker then we want. Hence: bump RLIMIT_NOFILE to 16K if possible.

Do these even for journalctl. On Fedora the soft RLIMIT_NOFILE is at 1K,
the hard at 4K by default for normal user processes, this code hence
bumps this up for users to 4K.

https://bugzilla.redhat.com/show_bug.cgi?id=1179980
2015-01-08 03:20:45 +01:00
Lennart Poettering
1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
2014-06-04 18:12:55 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
2014-06-03 23:57:51 +02:00
Lennart Poettering
f21a71a907 core: enable PrivateNetwork= for a number of our long running services where this is useful 2014-03-19 23:25:28 +01:00
Lennart Poettering
37495eede9 journal: make gatewayd run under its own user ID 2013-03-05 19:15:31 +01:00
Lennart Poettering
7b17a7d72f journal: add minimal journal gateway daemon based on GNU libmicrohttpd
This minimal HTTP server can serve journal data via HTTP. Its primary
purpose is synchronization of journal data across the network. It serves
journal data in three formats:

       text/plain: the text format known from /var/log/messages
       application/json: the journal entries formatted as JSON
       application/vnd.fdo.journal: the binary export format of the journal

The HTTP server also serves a small HTML5 app that makes use of the JSON
serialization to present the journal data to the user.

Examples:

This downloads the journal in text format:

 # systemctl start systemd-journal-gatewayd.service
 # wget http://localhost:19531/entries

Same for JSON:

 # curl -H"Accept: application/json" http://localhost:19531/entries

Access via web browser:

 $ firefox http://localhost:19531/
2012-09-28 00:55:24 +02:00