From e01d9e2193ad4699a0507fc631613b5666d4d897 Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Thu, 19 Apr 2018 16:51:04 +0200
Subject: [PATCH] update NEWS

---
 NEWS | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/NEWS b/NEWS
index cca6692c4bc..03fe0eca83e 100644
--- a/NEWS
+++ b/NEWS
@@ -46,6 +46,15 @@ CHANGES WITH 239 in spe:
           both runtime and persistent enablement/masking, i.e. it will remove
           any relevant symlinks both in /run and /etc.
 
+        * Note that all long-running system services shipped with systemd will
+          now default to a system call whitelist (rather than a blacklist, as
+          before). In particular, systemd-udevd will now enforce one too. For
+          most cases this should be safe, however downstream distributions
+          which disabled sandboxing of systemd-udevd (specifically the
+          MountFlags= setting), might want to disable this security feature
+          too, as the default whitelisting will prohibit all mount, swap,
+          reboot and clock changing operations from udev rules.
+
         * sd-boot acquired new loader configuration settings to optionally turn
           off Windows and MacOS boot partition discovery as well as
           reboot-into-firmware menu items. It is also able to pick a better
-- 
2.47.3