ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
417116f core: add new ReadOnlySystem= and ProtectedHome= settings for service units
man/systemd.exec.xml | 61 ++++++++++++++++++++++++++++-
src/core/dbus-execute.c | 5 +++
src/core/execute.c | 11 +++++-
src/core/execute.h | 3 ++
src/core/load-fragment-gperf.gperf.m4 | 2 +
src/core/load-fragment.c | 43 ++++++++++++++++++++
src/core/load-fragment.h | 1 +
src/core/namespace.c | 26 +++++++++++-
src/core/namespace.h | 15 +++++++
src/test/test-ns.c | 2 +
units/systemd-hostnamed.service.in | 2 +
units/systemd-journal-gatewayd.service.in | 2 +
units/systemd-journald.service.in | 2 +
units/systemd-localed.service.in | 2 +
units/systemd-logind.service.in | 2 +
units/systemd-machined.service.in | 2 +
units/systemd-networkd.service.in | 2 +
units/systemd-resolved.service.in | 2 +
units/systemd-timedated.service.in | 2 +
units/systemd-timesyncd.service.in | 2 +
units/systemd-udevd.service.in | 2 +
21 files changed, 187 insertions(+), 4 deletions(-)
Upstream: github.com