git.ipfire.org Git - thirdparty/systemd.git/commit

author	Lennart Poettering <lennart@poettering.net>
	Thu, 25 Aug 2016 13:57:21 +0000 (15:57 +0200)
committer	Djalal Harouni <tixxdz@opendz.org>
	Sun, 25 Sep 2016 08:42:18 +0000 (10:42 +0200)
commit	3f815163ff8fdcdbd329680580df36f94e15325d
tree	1436ba9f8a74ad8c6f4311764b7591a8283a5c00	tree \| snapshot
parent	160cfdbed3eb23b6bc3c17613685b756f23be4a1	commit \| diff

core: introduce ProtectSystem=strict

Let's tighten our sandbox a bit more: with this change ProtectSystem= gains a
new setting "strict". If set, the entire directory tree of the system is
mounted read-only, but the API file systems /proc, /dev, /sys are excluded
(they may be managed with PrivateDevices= and ProtectKernelTunables=). Also,
/home and /root are excluded as those are left for ProtectHome= to manage.

In this mode, all "real" file systems (i.e. non-API file systems) are mounted
read-only, and specific directories may only be excluded via
ReadWriteDirectories=, thus implementing an effective whitelist instead of
blacklist of writable directories.

While we are at, also add /efi to the list of paths always affected by
ProtectSystem=. This is a follow-up for
b52a109ad38cd37b660ccd5394ff5c171a5e5355 which added /efi as alternative for
/boot. Our namespacing logic should respect that too.

man/systemd.exec.xml		diff \| blob \| blame \| history
src/core/namespace.c		diff \| blob \| blame \| history
src/core/namespace.h		diff \| blob \| blame \| history