]> git.ipfire.org Git - thirdparty/systemd.git/commit - man/systemd.exec.xml
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 78dff3f) | patch
New directives NoExecPaths= ExecPaths=
authorTopi Miettinen <toiwoton@gmail.com>
Sat, 16 Jan 2021 11:49:32 +0000 (13:49 +0200)
committerTopi Miettinen <topimiettinen@users.noreply.github.com>
Fri, 29 Jan 2021 12:40:52 +0000 (12:40 +0000)
commitddc155b2fd7807cda088c437dc836eebbcf79cea
tree512024b3042da520bffd77e1b7e0e64e0405df68tree | snapshot
parent78dff3f3d72c62357543fe1716da3886cff54a10commit | diff
New directives NoExecPaths= ExecPaths=

Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC`
mount flag for the file system tree. This can be used to implement file system
W^X policies, and for example with allow-listing mode (NoExecPaths=/) a
compromised service would not be able to execute a shell, if that was not
explicitly allowed.

Example:
[Service]
NoExecPaths=/
ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib

Closes: #17942.
15 files changed:
man/org.freedesktop.systemd1.xml diff | blob | blame | history
man/systemd.exec.xml diff | blob | blame | history
src/core/dbus-execute.c diff | blob | blame | history
src/core/execute.c diff | blob | blame | history
src/core/execute.h diff | blob | blame | history
src/core/load-fragment-gperf.gperf.m4 diff | blob | blame | history
src/core/namespace.c diff | blob | blame | history
src/core/namespace.h diff | blob | blame | history
src/shared/bus-unit-util.c diff | blob | blame | history
src/shared/mount-util.c diff | blob | blame | history
src/test/test-execute.c diff | blob | blame | history
src/test/test-namespace.c diff | blob | blame | history
src/test/test-ns.c diff | blob | blame | history
test/fuzz/fuzz-unit-file/directives.service diff | blob | blame | history
test/test-execute/exec-noexecpaths-simple.service [new file with mode: 0644] blob
Unnamed repository; edit this file 'description' to name the repository.