shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 00:51:24 +03:00
Code
29,920 Commits 4 Branches 390 Tags 551 MiB
71b514298b
Commit Graph

11 Commits

Author SHA1 Message Date
Lennart Poettering
635f3df5dc units: make use of the new !! ExecStart= prefix in systemd-resolved.service 
Let's make use of !! to run resolved with ambient capabilities on
systems supporting them.
 2017-08-10 15:04:32 +02:00
Yu Watanabe
4429c69f8d units: do not perform m4 if not necessary (#6575) 2017-08-09 09:13:41 -04:00
Dimitri John Ledkov
defa8e675b resolved: Do not add .busname dependencies, when compiling without kdbus. 2015-03-19 17:27:39 +01:00
Lennart Poettering
a24111cea6 Revert "units: add SecureBits" 
This reverts commit 6a716208b3.

Apparently this doesn't work.

http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
 2015-02-11 18:28:06 +01:00
Topi Miettinen
6a716208b3 units: add SecureBits 
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
 2015-02-11 17:33:36 +01:00
Lennart Poettering
0ef403877a units: turn on watchdog for resolved 2015-01-27 14:31:44 +01:00
Lennart Poettering
78ad7cf1b9 units: make resolved pull in its own .busname unit, but only on kdbus systems 
The daemon requires the busname unit to operate, since it contains the
policy that allows it to acquire its service name.
 2015-01-07 23:44:08 +01:00
Lennart Poettering
1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only 
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
 2014-06-04 18:12:55 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units 
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
 2014-06-03 23:57:51 +02:00
Tom Gundersen
682265d5e2 resolved: run as unpriviliged "systemd-resolve" user 
This service is not yet network facing, but let's prepare nonetheless.
Currently all caps are dropped, but some may need to be kept in the
future.
 2014-06-03 10:40:28 +02:00
Tom Gundersen
091a364c80 resolved: add daemon to manage resolv.conf 
Also remove the equivalent functionality from networkd.
 2014-05-19 18:14:56 +02:00