]> git.ipfire.org Git - thirdparty/systemd.git/commit - src/core/dbus-execute.c
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 18e51a0) | patch
core:sandbox: Add ProtectKernelModules= option
authorDjalal Harouni <tixxdz@opendz.org>
Wed, 12 Oct 2016 11:31:21 +0000 (13:31 +0200)
committerDjalal Harouni <tixxdz@opendz.org>
Wed, 12 Oct 2016 11:31:21 +0000 (13:31 +0200)
commit502d704e5ed2d288069471f4e3611115cde107d6
tree4f477c49d4ce8b979479735bcc4f4043b2df111btree | snapshot
parent18e51a022c632344c4a48ba6ccb3475fad2a2c3bcommit | diff
core:sandbox: Add ProtectKernelModules= option

This is useful to turn off explicit module load and unload operations on modular
kernels. This option removes CAP_SYS_MODULE from the capability bounding set for
the unit, and installs a system call filter to block module system calls.

This option will not prevent the kernel from loading modules using the module
auto-load feature which is a system wide operation.
man/systemd.exec.xml diff | blob | blame | history
src/core/dbus-execute.c diff | blob | blame | history
src/core/execute.c diff | blob | blame | history
src/core/execute.h diff | blob | blame | history
src/core/load-fragment-gperf.gperf.m4 diff | blob | blame | history
src/core/unit.c diff | blob | blame | history
src/shared/bus-unit-util.c diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.