- Desktop
- Enterprise
- Gaming
- Graphics
- Hardware
- Linux Kernel
- Multimedia
- Operating Systems
- Programming
- System Internals
- All Projects
- Latest News
- Linux Kernel: Linux 6.9-rc4
- Embind: support .implement()-based JS UNO objects
- tdf#33603: sd: rework notes panel
- xwayland: Add SourceValidate hook
- UPower: Release 1.90.4
- timezone: sync to TZDB 2024a
- Linux Kernel: Linux 6.9-rc3
- Optimize pg_popcount() with AVX-512 instructions
- Latest News (cont.)
- Enhance nbtree ScalarArrayOp execution
- Add basic JSON_TABLE() functionality
- Introduce a non-recursive JSON parser
- aarch64/fpu: Add vector variants of erfc
- tdf#160376 Add uno:Reload to the Notebookbar UI
- Update to latest Rhino 1.7.14
- Provide API for streaming relation data
- Linux Kernel: Linux 6.9-rc2
- avcodec/nvenc: add support for lookahead_level
- wmic: Support interactive mode and piped commands
- tdf#160386: Add support for switch element
Featured content is also available via:
core: add new ReadOnlySystem= and ProtectedHome= settings for service units
System Internals / systemd - Lennart Poettering [poettering.net] - 3 June 2014 16:57 UTC
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
417116f core: add new ReadOnlySystem= and ProtectedHome= settings for service units
man/systemd.exec.xml | 61 ++++++++++++++++++++++++++++-
src/core/dbus-execute.c | 5 +++
src/core/execute.c | 11 +++++-
src/core/execute.h | 3 ++
src/core/load-fragment-gperf.gperf.m4 | 2 +
src/core/load-fragment.c | 43 ++++++++++++++++++++
src/core/load-fragment.h | 1 +
src/core/namespace.c | 26 +++++++++++-
src/core/namespace.h | 15 +++++++
src/test/test-ns.c | 2 +
units/systemd-hostnamed.service.in | 2 +
units/systemd-journal-gatewayd.service.in | 2 +
units/systemd-journald.service.in | 2 +
units/systemd-localed.service.in | 2 +
units/systemd-logind.service.in | 2 +
units/systemd-machined.service.in | 2 +
units/systemd-networkd.service.in | 2 +
units/systemd-resolved.service.in | 2 +
units/systemd-timedated.service.in | 2 +
units/systemd-timesyncd.service.in | 2 +
units/systemd-udevd.service.in | 2 +
21 files changed, 187 insertions(+), 4 deletions(-)
Upstream: github.com
Related systemd Activity
- core: add [Enable|Disable]UnitFilesWithFlags DBUS methods
Luca Boccassi - core: add device mapper to allow-list with DevicePolicy=closed and RootImage
Luca Boccassi - core: add RootHash and RootVerity service parameters
Luca Boccassi - core: let user define start-/stop-timeout behaviour
Jan Klötzke
Share
- Tweet
Recent systemd Activity
- hwdb: add Medion Akoya E2228T MD61900 (#18317)
corvusnix - varlink: make 'userdata' pointer inheritance from varlink server to connection optional
Lennart Poettering - udev: use DEFINE_MAIN_FUNCTION in cdrom_id
Dan Streetman - network: add support to RoutingPolicyRule lookup table name
Susant Sahani - resolved: fix use-after-free with queries hitting the cache
Zbigniew Jędrzejewski-Szmek