| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
| |
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_label derived from xinetd.
Reviewed-by: Paul Moore <pmoore@redhat.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
or when creating OS images offline
A new tool "systemd-firstboot" can be used either interactively on boot,
where it will query basic locale, timezone, hostname, root password
information and set it. Or it can be used non-interactively from the
command line when prepareing disk images for booting. When used
non-inertactively the tool can either copy settings from the host, or
take settings on the command line.
$ systemd-firstboot --root=/path/to/my/new/root --copy-locale --copy-root-password --hostname=waldi
The tool will be automatically invoked (interactively) now on first boot
if /etc is found unpopulated.
This also creates the infrastructure for generators to be notified via
an environment variable whether they are running on the first boot, or
not.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.
With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
|
| |
|
|
| |
No functional change expected :)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
tcpwrap is legacy code, that is barely maintained upstream. It's APIs
are awful, and the feature set it exposes (such as DNS and IDENT
access control) questionnable. We should not support this natively in
systemd.
Hence, let's remove the code. If people want to continue making use of
this, they can do so by plugging in "tcpd" for the processes they start.
With that scheme things are as well or badly supported as they were from
traditional inetd, hence no functionality is really lost.
|
| |
|
|
|
|
| |
safe_close_pair() is more like safe_close(), except that it handles
pairs of fds, and doesn't make and misleading allusion, as it works
similarly well for socketpairs() as for pipe()s...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
safe_close() automatically becomes a NOP when a negative fd is passed,
and returns -1 unconditionally. This makes it easy to write lines like
this:
fd = safe_close(fd);
Which will close an fd if it is open, and reset the fd variable
correctly.
By making use of this new scheme we can drop a > 200 lines of code that
was required to test for non-negative fds or to reset the closed fd
variable afterwards.
|
| |
|
|
| |
define for the max number of rlimits, too
|
| |
|
|
|
| |
As discussed on the ML these are useful to manage runtime directories
below /run for services.
|
| |
|
|
| |
allocate a thread
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This new unit settings allows restricting which address families are
available to processes. This is an effective way to minimize the attack
surface of services, by turning off entire network stacks for them.
This is based on seccomp, and does not work on x86-32, since seccomp
cannot filter socketcall() syscalls on that platform.
|
| |
|
|
| |
for us
|
| |
|
|
|
|
| |
This permit to switch to a specific apparmor profile when starting a daemon. This
will result in a non operation if apparmor is disabled.
It also add a new build requirement on libapparmor for using this feature.
|
| | |
|
| |
|
|
| |
processes
|
| |
|
|
|
| |
And make use of it where appropriate for executing services and for
nspawn.
|
| | |
|
| |
|
|
|
|
|
| |
architecture support for system calls
Also, turn system call filter bus properties into complex types instead
of concatenated strings.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
- Allow configuration of an errno error to return from blacklisted
syscalls, instead of immediately terminating a process.
- Fix parsing logic when libseccomp support is turned off
- Only keep the actual syscall set in the ExecContext, and generate the
string version only on demand.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Let's always call the security labels the same way:
SMACK: "Smack Label"
SELINUX: "SELinux Security Context"
And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.
|
| |
|
|
|
|
|
| |
-, like for others settings.
Also remove call to security_check_context, as this doesn't serve anything, since
setexeccon will fail anyway.
|
| | |
|
| |
|
|
|
|
|
|
| |
This permit to let system administrators decide of the domain of a service.
This can be used with templated units to have each service in a différent
domain ( for example, a per customer database, using MLS or anything ),
or can be used to force a non selinux enabled system (jvm, erlang, etc)
to start in a different domain for each service.
|
| |
|
|
|
|
| |
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that
sets up a private /dev with only the API pseudo-devices like /dev/null,
/dev/zero, /dev/random, but not any physical devices in them.
|
| |
|
|
|
| |
Unfortunately a different cleanup function is necessary per type,
because cap_t** and char** are incompatible with void**.
|
| |
|
|
|
|
|
|
| |
It is nicer to predefine patterns using configure time check instead of
using casts everywhere.
Since we do not need to use any flags, include "%" in the format instead
of excluding it like PRI* macros.
|
| |
|
|
|
| |
Actually we already checked for !rt before, now we'd like to examine
the return value of the memory allocation.
|
| | |
|
| |
|
|
|
|
|
|
| |
Also, introduce a new environment variable named $WATCHDOG_PID which
cotnains the PID of the process that is supposed to send the keep-alive
events. This is similar how $LISTEN_FDS and $LISTEN_PID work together,
and protects against confusing processes further down the process tree
due to inherited environment.
|
| |
|
|
|
| |
This way, when a tty path is configured TERM is set, which is nice to
set a useful term for gettys.
|
| |
|
|
| |
connected to journald
|
| |
|
|
|
|
| |
The only problem is that libgen.h #defines basename to point to it's
own broken implementation instead of the GNU one. This can be fixed
by #undefining basename.
|
| |
|
|
| |
PrivateTmp= namespaces
|
| |
|
|
|
|
| |
"make check-api-unused" informs us about code that is not used anymore
or that is exported but only used internally. Fix these all over the
place.
|
| |
|
|
|
|
|
| |
array from stdarg function parameters
This allows us to turn lists of strings passed in easily into string
arrays without having to allocate memory.
|
| |
|
|
|
|
|
| |
Unit name is used whole in the directory name, so that the unit name
can be easily extracted from it, e.g. "/tmp/systemd-abcd.service-DEDBIF1".
https://bugzilla.redhat.com/show_bug.cgi?id=957439
|
| |
|
|
| |
Always use our own macros, and name all our own macros the same style.
|
| |
|
|
|
|
|
| |
each invocation
We can determine the list entry type via the typeof() gcc construct, and
so we should to make the macros much shorter to use.
|
| | |
|
| |
|
|
|
| |
In e6dca81 $SHELL was added to user@.service. Let's
instead provide it to all units which have a user.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
controllers
Previously we did operations like attach, trim or migrate only on the
controllers that were enabled for a specific unit. With this changes we
will now do them for all supproted controllers, and fall back to all
possible prefix paths if the specified paths do not exist.
This fixes issues if a controller is being disabled for a unit where it
was previously enabled, and makes sure that all processes stay as "far
down" the tree as groups exist.
|
| |
|
|
| |
https://bugs.freedesktop.org/show_bug.cgi?id=68232
|
