mirror of
https://github.com/systemd/systemd.git
synced 2024-11-01 17:51:22 +03:00
ddc155b2fd
Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC` mount flag for the file system tree. This can be used to implement file system W^X policies, and for example with allow-listing mode (NoExecPaths=/) a compromised service would not be able to execute a shell, if that was not explicitly allowed. Example: [Service] NoExecPaths=/ ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib Closes: #17942.
11 lines
346 B
Desktop File
11 lines
346 B
Desktop File
[Unit]
|
|
Description=Test for NoExecPaths=
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
# This should work, as we explicitly disable the effect of NoExecPaths=
|
|
ExecStart=+/bin/sh -c '/bin/cat /dev/null'
|
|
# This should also work, as we do not disable the effect of NoExecPaths= but invert the exit code
|
|
ExecStart=/bin/sh -x -c '! /bin/cat /dev/null'
|
|
NoExecPaths=/bin/cat
|