shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 09:21:26 +03:00
Code
19,050 Commits 4 Branches 390 Tags 552 MiB
e87bc3ef67
Commit Graph

5 Commits

Author SHA1 Message Date
Lennart Poettering
78ad7cf1b9 units: make resolved pull in its own .busname unit, but only on kdbus systems 
The daemon requires the busname unit to operate, since it contains the
policy that allows it to acquire its service name.
 2015-01-07 23:44:08 +01:00
Lennart Poettering
1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only 
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
 2014-06-04 18:12:55 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units 
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
 2014-06-03 23:57:51 +02:00
Tom Gundersen
682265d5e2 resolved: run as unpriviliged "systemd-resolve" user 
This service is not yet network facing, but let's prepare nonetheless.
Currently all caps are dropped, but some may need to be kept in the
future.
 2014-06-03 10:40:28 +02:00
Tom Gundersen
091a364c80 resolved: add daemon to manage resolv.conf 
Also remove the equivalent functionality from networkd.
 2014-05-19 18:14:56 +02:00