1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-05 06:52:22 +03:00
Commit Graph

16 Commits

Author SHA1 Message Date
Lennart Poettering
e0f968ad96 units: drop systemd-remount-fs.service dependency from more services
All services using StateDirectory= don't need the explicit dep anymore,
let's hence drop it everywhere.
2020-04-08 16:29:41 +02:00
Kevin Kuehler
6168ae5840 units: set ProtectKernelLogs=yes on relevant units
We set ProtectKernelLogs=yes on all long running services except for
udevd, since it accesses /dev/kmsg, and journald, since it calls syslog
and accesses /dev/kmsg.
2019-11-15 00:59:54 -08:00
Lennart Poettering
62aa29247c units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-04-02 16:56:48 +02:00
Topi Miettinen
99894b867f units: enable ProtectHostname=yes 2019-02-20 10:50:44 +02:00
Lennart Poettering
3ca9940cb9 units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

An while we are at it: sort the settings in the unit files this touches.
This might increase the size of the change in this case, but hopefully
should result in stabler patches later on.

Fixes: #1219
2018-11-12 19:02:55 +01:00
Lennart Poettering
ee8f26180d units: switch from system call blacklist to whitelist
This is generally the safer approach, and is what container managers
(including nspawn) do, hence let's move to this too for our own
services. This is particularly useful as this this means the new
@system-service system call filter group will get serious real-life
testing quickly.

This also switches from firing SIGSYS on unexpected syscalls to
returning EPERM. This would have probably been a better default anyway,
but it's hard to change that these days. When whitelisting system calls
SIGSYS is highly problematic as system calls that are newly introduced
to Linux become minefields for services otherwise.

Note that this enables a system call filter for udev for the first time,
and will block @clock, @mount and @swap from it. Some downstream
distributions might want to revert this locally if they want to permit
unsafe operations on udev rules, but in general this shiuld be mostly
safe, as we already set MountFlags=shared for udevd, hence at least
@mount won't change anything.
2018-06-14 17:44:20 +02:00
Zbigniew Jędrzejewski-Szmek
a7df2d1e43 Add SPDX license headers to unit files 2017-11-19 19:08:15 +01:00
Lennart Poettering
0a9b166b43 units: prohibit all IP traffic on all our long-running services (#6921)
Let's lock things down further.
2017-10-04 14:16:28 +02:00
Lennart Poettering
bff8f2543b units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly
test this to the fullest extent.
2017-09-14 19:45:40 +02:00
Yu Watanabe
96f9f6aca7 unit: drop redundant options 2017-08-31 18:29:41 +09:00
Yu Watanabe
d0e62ae0f6 units: use {State,Logs}Directory= if they are applicable 2017-08-08 12:17:01 +09:00
Lennart Poettering
924453c225 units: lock down coredump service a bit
Dissecting a coredump is possibly risky and might take a while, hence
lock down the unit as much as we can.
2017-02-09 16:12:03 +01:00
Lennart Poettering
b6c7278c38 units: turn on ProtectKernelModules= for most long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
c7fb922d62 units: switch on ProtectSystem=strict for our long running services
Let's step up the protection a notch
2017-02-09 16:12:03 +01:00
Lennart Poettering
7f396e5f66 units: set SystemCallArchitectures=native on all our long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
3c171f0b1e coredump: rework coredumping logic
This reworks the coredumping logic so that the coredump handler invoked from the kernel only collects runtime data
about the crashed process, and then submits it for processing to a socket-activate coredump service, which extracts a
stacktrace and writes the coredump to disk.

This has a number of benefits: the disk IO and stack trace generation may take a substantial amount of resources, and
hence should better be managed by PID 1, so that resource management applies. This patch uses RuntimeMaxSec=, Nice=, OOMScoreAdjust=
and various sandboxing settings to ensure that the coredump handler doesn't take away unbounded resources from normally
priorized processes.

This logic is also nice since this makes sure the coredump processing and storage is delayed correctly until
/var/systemd/coredump is mounted and writable.

Fixes: #2286
2016-02-10 16:08:32 +01:00