From 417116f23432073162ebfcb286a7800846482eed Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 3 Jun 2014 23:41:44 +0200 Subject: core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data. --- units/systemd-journald.service.in | 2 ++ 1 file changed, 2 insertions(+) (limited to 'units/systemd-journald.service.in') diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index de9387933..ba3f84720 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -20,6 +20,8 @@ RestartSec=0 NotifyAccess=all StandardOutput=null CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID +ReadOnlySystem=yes +ProtectedHome=yes WatchdogSec=1min # Increase the default a bit in order to allow many simultaneous -- cgit v1.2.3