From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 19 Apr 2018 14:51:04 +0000 (+0200)
Subject: update NEWS
X-Git-Tag: v239~48^2
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F8766%2Fhead;p=thirdparty%2Fsystemd.git

update NEWS
---

diff --git a/NEWS b/NEWS
index cca6692c4bc..03fe0eca83e 100644
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,15 @@ CHANGES WITH 239 in spe:
           both runtime and persistent enablement/masking, i.e. it will remove
           any relevant symlinks both in /run and /etc.
 
+        * Note that all long-running system services shipped with systemd will
+          now default to a system call whitelist (rather than a blacklist, as
+          before). In particular, systemd-udevd will now enforce one too. For
+          most cases this should be safe, however downstream distributions
+          which disabled sandboxing of systemd-udevd (specifically the
+          MountFlags= setting), might want to disable this security feature
+          too, as the default whitelisting will prohibit all mount, swap,
+          reboot and clock changing operations from udev rules.
+
         * sd-boot acquired new loader configuration settings to optionally turn
           off Windows and MacOS boot partition discovery as well as
           reboot-into-firmware menu items. It is also able to pick a better