| Commit message (Collapse) | Author | Age |
|---|
| | |
|
| |
|
|
| |
Process possible "discard" values from /etc/fstab.
|
| |
|
|
|
|
|
|
|
|
| |
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_mls_label derived from xinetd.
Reviewed-by: Paul Moore <pmoore@redhat.com>
|
| |
|
|
| |
Mark two function parameters as const
|
| |
|
|
|
|
|
|
|
|
|
|
| |
If BusPolicy= was passed, the parser function will have created
an ExecContext->bus_endpoint object, along with policy information.
In that case, create a kdbus endpoint, and pass its path name to the
namespace logic, to it will be mounted over the actual 'bus' node.
At endpoint creation time, no policy is updloaded. That is done after
fork(), through a separate call. This is necessary because we don't
know the real uid of the process earlier than that.
|
| |
|
|
|
|
|
|
|
|
| |
If a path to a previously created custom kdbus endpoint is passed in,
bind-mount a new devtmpfs that contains a 'bus' node, which in turn in
bind-mounted with the custom endpoint. This tmpfs then mounted over the
kdbus subtree that refers to the current bus.
This way, we can fake the bus node in order to lock down services with
a kdbus custom endpoint policy.
|
| |
|
|
|
| |
Add types to describe endpoints and associated policy entries,
and add a BusEndpoint instace to ExecContext.
|
| |
|
|
|
|
| |
This factors out one conditional branch that has grown way too big, and
makes the code more readable by using return statements rather than jump
labels.
|
| |
|
|
|
|
|
|
|
|
| |
This way, the list of arguments to that function gets more comprehensive,
and we can get around passing lots of NULL and 0 arguments from socket.c,
swap.c and mount.c.
It also allows for splitting up the code in exec_spawn().
While at it, make ExecContext const in execute.c.
|
| | |
|
| |
|
|
| |
time differently
|
| | |
|
| |
|
|
|
|
| |
This reverts commit cf8bd44339b00330fdbc91041d6731ba8aba9fec.
Needs more discussion on the mailing list.
|
| |
|
|
|
|
|
|
|
|
| |
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_label derived from xinetd.
Reviewed-by: Paul Moore <pmoore@redhat.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
or when creating OS images offline
A new tool "systemd-firstboot" can be used either interactively on boot,
where it will query basic locale, timezone, hostname, root password
information and set it. Or it can be used non-interactively from the
command line when prepareing disk images for booting. When used
non-inertactively the tool can either copy settings from the host, or
take settings on the command line.
$ systemd-firstboot --root=/path/to/my/new/root --copy-locale --copy-root-password --hostname=waldi
The tool will be automatically invoked (interactively) now on first boot
if /etc is found unpopulated.
This also creates the infrastructure for generators to be notified via
an environment variable whether they are running on the first boot, or
not.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.
With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
|
| |
|
|
| |
No functional change expected :)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
tcpwrap is legacy code, that is barely maintained upstream. It's APIs
are awful, and the feature set it exposes (such as DNS and IDENT
access control) questionnable. We should not support this natively in
systemd.
Hence, let's remove the code. If people want to continue making use of
this, they can do so by plugging in "tcpd" for the processes they start.
With that scheme things are as well or badly supported as they were from
traditional inetd, hence no functionality is really lost.
|
| |
|
|
|
|
| |
safe_close_pair() is more like safe_close(), except that it handles
pairs of fds, and doesn't make and misleading allusion, as it works
similarly well for socketpairs() as for pipe()s...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
safe_close() automatically becomes a NOP when a negative fd is passed,
and returns -1 unconditionally. This makes it easy to write lines like
this:
fd = safe_close(fd);
Which will close an fd if it is open, and reset the fd variable
correctly.
By making use of this new scheme we can drop a > 200 lines of code that
was required to test for non-negative fds or to reset the closed fd
variable afterwards.
|
| |
|
|
| |
define for the max number of rlimits, too
|
| |
|
|
|
| |
As discussed on the ML these are useful to manage runtime directories
below /run for services.
|
| |
|
|
| |
allocate a thread
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This new unit settings allows restricting which address families are
available to processes. This is an effective way to minimize the attack
surface of services, by turning off entire network stacks for them.
This is based on seccomp, and does not work on x86-32, since seccomp
cannot filter socketcall() syscalls on that platform.
|
| |
|
|
| |
for us
|
| |
|
|
|
|
| |
This permit to switch to a specific apparmor profile when starting a daemon. This
will result in a non operation if apparmor is disabled.
It also add a new build requirement on libapparmor for using this feature.
|
| | |
|
| |
|
|
| |
processes
|
| |
|
|
|
| |
And make use of it where appropriate for executing services and for
nspawn.
|
| | |
|
| |
|
|
|
|
|
| |
architecture support for system calls
Also, turn system call filter bus properties into complex types instead
of concatenated strings.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
- Allow configuration of an errno error to return from blacklisted
syscalls, instead of immediately terminating a process.
- Fix parsing logic when libseccomp support is turned off
- Only keep the actual syscall set in the ExecContext, and generate the
string version only on demand.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Let's always call the security labels the same way:
SMACK: "Smack Label"
SELINUX: "SELinux Security Context"
And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.
|
| |
|
|
|
|
|
| |
-, like for others settings.
Also remove call to security_check_context, as this doesn't serve anything, since
setexeccon will fail anyway.
|
| | |
|
| |
|
|
|
|
|
|
| |
This permit to let system administrators decide of the domain of a service.
This can be used with templated units to have each service in a différent
domain ( for example, a per customer database, using MLS or anything ),
or can be used to force a non selinux enabled system (jvm, erlang, etc)
to start in a different domain for each service.
|
| |
|
|
|
|
| |
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that
sets up a private /dev with only the API pseudo-devices like /dev/null,
/dev/zero, /dev/random, but not any physical devices in them.
|
| |
|
|
|
| |
Unfortunately a different cleanup function is necessary per type,
because cap_t** and char** are incompatible with void**.
|
| |
|
|
|
|
|
|
| |
It is nicer to predefine patterns using configure time check instead of
using casts everywhere.
Since we do not need to use any flags, include "%" in the format instead
of excluding it like PRI* macros.
|
| |
|
|
|
| |
Actually we already checked for !rt before, now we'd like to examine
the return value of the memory allocation.
|
| | |
|
| |
|
|
|
|
|
|
| |
Also, introduce a new environment variable named $WATCHDOG_PID which
cotnains the PID of the process that is supposed to send the keep-alive
events. This is similar how $LISTEN_FDS and $LISTEN_PID work together,
and protects against confusing processes further down the process tree
due to inherited environment.
|
| |
|
|
|
| |
This way, when a tty path is configured TERM is set, which is nice to
set a useful term for gettys.
|
