core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mountin...

author Lennart Poettering <lennart@poettering.net>

Wed, 4 Jun 2014 16:07:55 +0000 (18:07 +0200)

committer Lennart Poettering <lennart@poettering.net>

Wed, 4 Jun 2014 16:12:55 +0000 (18:12 +0200)
author Lennart Poettering <lennart@poettering.net>
Wed, 4 Jun 2014 16:07:55 +0000 (18:07 +0200)
committer Lennart Poettering <lennart@poettering.net>
Wed, 4 Jun 2014 16:12:55 +0000 (18:12 +0200)
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml

index 36643034913c91169fcce52b5b29a416ef42dfa3..d426ac0899a4b146d1967a24f3c9b18018de2fa0 100644 (file)
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -935,16 +935,21 @@
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
-                                <term><varname>ReadOnlySystem=</varname></term>
+                                <term><varname>ProtectSystem=</varname></term>
  
                                  <listitem><para>Takes a boolean
  
                                  <listitem><para>Takes a boolean
-                                argument. If true, mounts the
-                                <filename>/usr</filename> and
-                                <filename>/boot</filename> directories
-                                read-only for processes invoked by
-                                this unit. This setting ensures that
-                                any modification of the vendor
-                                supplied operating system is
+                                argument or
+                                <literal>full</literal>. If true,
+                                mounts the <filename>/usr</filename>
+                                and <filename>/boot</filename>
+                                directories read-only for processes
+                                invoked by this unit. If set to
+                                <literal>full</literal> the
+                                <filename>/etc</filename> is mounted
+                                read-only, too. This setting ensures
+                                that any modification of the vendor
+                                supplied operating system (and
+                                optionally its configuration) is
                                  prohibited for the service. It is
                                  recommended to enable this setting for
                                  all long-running services, unless they
                                  prohibited for the service. It is
                                  recommended to enable this setting for
                                  all long-running services, unless they
@@ -962,7 +967,7 @@
                          </varlistentry>
  
                          <varlistentry>
                          </varlistentry>
  
                          <varlistentry>
-                                <term><varname>ProtectedHome=</varname></term>
+                                <term><varname>ProtectHome=</varname></term>
  
                                  <listitem><para>Takes a boolean
                                  argument or
  
                                  <listitem><para>Takes a boolean
                                  argument or
@@ -977,7 +982,7 @@
                                  instead. It is recommended to enable
                                  this setting for all long-running
                                  services (in particular network-facing
                                  instead. It is recommended to enable
                                  this setting for all long-running
                                  services (in particular network-facing
-                                one), to ensure they cannot get access
+                                ones), to ensure they cannot get access
                                  to private user data, unless the
                                  services actually require access to
                                  the user's private data. Note however,
                                  to private user data, unless the
                                  services actually require access to
                                  the user's private data. Note however,
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c

index 2aa08c14354c324408923f309eb06b6346c23a5f..cb9a077d0e45d67cf3c5eae384092ed436335b04 100644 (file)
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -45,7 +45,8 @@ BUS_DEFINE_PROPERTY_GET_ENUM(bus_property_get_exec_output, exec_output, ExecOutp
  
  static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_input, exec_input, ExecInput);
  
  
  static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_input, exec_input, ExecInput);
  
-static BUS_DEFINE_PROPERTY_GET_ENUM(bus_property_get_protected_home, protected_home, ProtectedHome);
+static BUS_DEFINE_PROPERTY_GET_ENUM(bus_property_get_protect_home, protect_home, ProtectHome);
+static BUS_DEFINE_PROPERTY_GET_ENUM(bus_property_get_protect_system, protect_system, ProtectSystem);
  
  static int property_get_environment_files(
                  sd_bus *bus,
  
  static int property_get_environment_files(
                  sd_bus *bus,
@@ -629,8 +630,8 @@ const sd_bus_vtable bus_exec_vtable[] = {
          SD_BUS_PROPERTY("PrivateTmp", "b", bus_property_get_bool, offsetof(ExecContext, private_tmp), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("PrivateNetwork", "b", bus_property_get_bool, offsetof(ExecContext, private_network), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("PrivateDevices", "b", bus_property_get_bool, offsetof(ExecContext, private_devices), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("PrivateTmp", "b", bus_property_get_bool, offsetof(ExecContext, private_tmp), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("PrivateNetwork", "b", bus_property_get_bool, offsetof(ExecContext, private_network), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("PrivateDevices", "b", bus_property_get_bool, offsetof(ExecContext, private_devices), SD_BUS_VTABLE_PROPERTY_CONST),
-        SD_BUS_PROPERTY("ProtectedHome", "s", bus_property_get_protected_home, offsetof(ExecContext, protected_home), SD_BUS_VTABLE_PROPERTY_CONST),
-        SD_BUS_PROPERTY("ReadOnlySystem", "b", bus_property_get_bool, offsetof(ExecContext, read_only_system), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("ProtectHome", "s", bus_property_get_protect_home, offsetof(ExecContext, protect_home), SD_BUS_VTABLE_PROPERTY_CONST),
+        SD_BUS_PROPERTY("ProtectSystem", "s", bus_property_get_protect_system, offsetof(ExecContext, protect_system), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("SameProcessGroup", "b", bus_property_get_bool, offsetof(ExecContext, same_pgrp), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("UtmpIdentifier", "s", NULL, offsetof(ExecContext, utmp_id), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("SELinuxContext", "(bs)", property_get_selinux_context, 0, SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("SameProcessGroup", "b", bus_property_get_bool, offsetof(ExecContext, same_pgrp), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("UtmpIdentifier", "s", NULL, offsetof(ExecContext, utmp_id), SD_BUS_VTABLE_PROPERTY_CONST),
          SD_BUS_PROPERTY("SELinuxContext", "(bs)", property_get_selinux_context, 0, SD_BUS_VTABLE_PROPERTY_CONST),
diff --git a/src/core/execute.c b/src/core/execute.c

index ce8b9bcb8b9b212937471b2b1ace5d8eaf44b44e..78fb81f7262771d97002512bb3e5ea964bfa0c67 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1570,8 +1570,8 @@ int exec_spawn(ExecCommand *command,
                      context->mount_flags != 0 ||
                      (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
                      context->private_devices ||
                      context->mount_flags != 0 ||
                      (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
                      context->private_devices ||
-                    context->read_only_system ||
-                    context->protected_home != PROTECTED_HOME_NO) {
+                    context->protect_system != PROTECT_SYSTEM_NO ||
+                    context->protect_home != PROTECT_HOME_NO) {
  
                          char *tmp = NULL, *var = NULL;
  
  
                          char *tmp = NULL, *var = NULL;
  
@@ -1595,8 +1595,8 @@ int exec_spawn(ExecCommand *command,
                                          tmp,
                                          var,
                                          context->private_devices,
                                          tmp,
                                          var,
                                          context->private_devices,
-                                        context->protected_home,
-                                        context->read_only_system,
+                                        context->protect_home,
+                                        context->protect_system,
                                          context->mount_flags);
                          if (err < 0) {
                                  r = EXIT_NAMESPACE;
                                          context->mount_flags);
                          if (err < 0) {
                                  r = EXIT_NAMESPACE;
@@ -2114,8 +2114,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                  "%sPrivateTmp: %s\n"
                  "%sPrivateNetwork: %s\n"
                  "%sPrivateDevices: %s\n"
                  "%sPrivateTmp: %s\n"
                  "%sPrivateNetwork: %s\n"
                  "%sPrivateDevices: %s\n"
-                "%sProtectedHome: %s\n"
-                "%sReadOnlySystem: %s\n"
+                "%sProtectHome: %s\n"
+                "%sProtectSystem: %s\n"
                  "%sIgnoreSIGPIPE: %s\n",
                  prefix, c->umask,
                  prefix, c->working_directory ? c->working_directory : "/",
                  "%sIgnoreSIGPIPE: %s\n",
                  prefix, c->umask,
                  prefix, c->working_directory ? c->working_directory : "/",
@@ -2124,8 +2124,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                  prefix, yes_no(c->private_tmp),
                  prefix, yes_no(c->private_network),
                  prefix, yes_no(c->private_devices),
                  prefix, yes_no(c->private_tmp),
                  prefix, yes_no(c->private_network),
                  prefix, yes_no(c->private_devices),
-                prefix, protected_home_to_string(c->protected_home),
-                prefix, yes_no(c->read_only_system),
+                prefix, protect_home_to_string(c->protect_home),
+                prefix, protect_system_to_string(c->protect_system),
                  prefix, yes_no(c->ignore_sigpipe));
  
          STRV_FOREACH(e, c->environment)
                  prefix, yes_no(c->ignore_sigpipe));
  
          STRV_FOREACH(e, c->environment)
diff --git a/src/core/execute.h b/src/core/execute.h

index 3d6f77c8ef01f63e7971e3f46f1234a4733a67d4..9d05d3a9dec95c7c0985408a07fc202dd264c3f8 100644 (file)
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -157,8 +157,8 @@ struct ExecContext {
          bool private_tmp;
          bool private_network;
          bool private_devices;
          bool private_tmp;
          bool private_network;
          bool private_devices;
-        bool read_only_system;
-        ProtectedHome protected_home;
+        ProtectSystem protect_system;
+        ProtectHome protect_home;
  
          bool no_new_privileges;
  
  
          bool no_new_privileges;
  
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4

index 95f59f55d9aea995190d0a7cafbde2e8e4c416ff..089c32a81e73e63ba567af0194d939b0358297aa 100644 (file)
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -80,8 +80,8 @@ $1.InaccessibleDirectories,      config_parse_namespace_path_strv,   0,
  $1.PrivateTmp,                   config_parse_bool,                  0,                             offsetof($1, exec_context.private_tmp)
  $1.PrivateNetwork,               config_parse_bool,                  0,                             offsetof($1, exec_context.private_network)
  $1.PrivateDevices,               config_parse_bool,                  0,                             offsetof($1, exec_context.private_devices)
  $1.PrivateTmp,                   config_parse_bool,                  0,                             offsetof($1, exec_context.private_tmp)
  $1.PrivateNetwork,               config_parse_bool,                  0,                             offsetof($1, exec_context.private_network)
  $1.PrivateDevices,               config_parse_bool,                  0,                             offsetof($1, exec_context.private_devices)
-$1.ReadOnlySystem,               config_parse_bool,                  0,                             offsetof($1, exec_context.read_only_system)
-$1.ProtectedHome,                config_parse_protected_home,        0,                             offsetof($1, exec_context)
+$1.ProtectSystem,                config_parse_protect_system,        0,                             offsetof($1, exec_context.protect_system)
+$1.ProtectHome,                  config_parse_protect_home,          0,                             offsetof($1, exec_context.protect_home)
  $1.MountFlags,                   config_parse_exec_mount_flags,      0,                             offsetof($1, exec_context)
  $1.Personality,                  config_parse_personality,           0,                             offsetof($1, exec_context.personality)
  $1.RuntimeDirectoryMode,         config_parse_mode,                  0,                             offsetof($1, exec_context.runtime_directory_mode)
  $1.MountFlags,                   config_parse_exec_mount_flags,      0,                             offsetof($1, exec_context)
  $1.Personality,                  config_parse_personality,           0,                             offsetof($1, exec_context.personality)
  $1.RuntimeDirectoryMode,         config_parse_mode,                  0,                             offsetof($1, exec_context.runtime_directory_mode)
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c

index 64d4c2f639114c2afae5d5c0cb8531dc0db6e6a1..54d3af1a99374fc095d10a11f8aa572ed2187504 100644 (file)
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -3101,7 +3101,7 @@ int config_parse_no_new_privileges(
          return 0;
  }
  
          return 0;
  }
  
-int config_parse_protected_home(
+int config_parse_protect_home(
                  const char* unit,
                  const char *filename,
                  unsigned line,
                  const char* unit,
                  const char *filename,
                  unsigned line,
@@ -3126,19 +3126,62 @@ int config_parse_protected_home(
  
          k = parse_boolean(rvalue);
          if (k > 0)
  
          k = parse_boolean(rvalue);
          if (k > 0)
-                c->protected_home = PROTECTED_HOME_YES;
+                c->protect_home = PROTECT_HOME_YES;
          else if (k == 0)
          else if (k == 0)
-                c->protected_home = PROTECTED_HOME_NO;
+                c->protect_home = PROTECT_HOME_NO;
          else {
          else {
-                ProtectedHome h;
+                ProtectHome h;
  
  
-                h = protected_home_from_string(rvalue);
+                h = protect_home_from_string(rvalue);
                  if (h < 0){
                  if (h < 0){
-                        log_syntax(unit, LOG_ERR, filename, line, -h, "Failed to parse protected home value, ignoring: %s", rvalue);
+                        log_syntax(unit, LOG_ERR, filename, line, -h, "Failed to parse protect home value, ignoring: %s", rvalue);
                          return 0;
                  }
  
                          return 0;
                  }
  
-                c->protected_home = h;
+                c->protect_home = h;
+        }
+
+        return 0;
+}
+
+int config_parse_protect_system(
+                const char* unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+
+        ExecContext *c = data;
+        int k;
+
+        assert(filename);
+        assert(lvalue);
+        assert(rvalue);
+        assert(data);
+
+        /* Our enum shall be a superset of booleans, hence first try
+         * to parse as as boolean, and then as enum */
+
+        k = parse_boolean(rvalue);
+        if (k > 0)
+                c->protect_system = PROTECT_SYSTEM_YES;
+        else if (k == 0)
+                c->protect_system = PROTECT_SYSTEM_NO;
+        else {
+                ProtectSystem s;
+
+                s = protect_system_from_string(rvalue);
+                if (s < 0){
+                        log_syntax(unit, LOG_ERR, filename, line, -s, "Failed to parse protect system value, ignoring: %s", rvalue);
+                        return 0;
+                }
+
+                c->protect_system = s;
          }
  
          return 0;
          }
  
          return 0;
diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h

index 9e4494cf98378dad8510630808312dc087f85ce5..1c21c466d2373b87c9b3a64550c4717706916d66 100644 (file)
--- a/src/core/load-fragment.h
+++ b/src/core/load-fragment.h
@@ -98,7 +98,8 @@ int config_parse_set_status(const char *unit, const char *filename, unsigned lin
  int config_parse_namespace_path_strv(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
  int config_parse_no_new_privileges(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
  int config_parse_cpu_quota(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
  int config_parse_namespace_path_strv(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
  int config_parse_no_new_privileges(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
  int config_parse_cpu_quota(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
-int config_parse_protected_home(const char* unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
+int config_parse_protect_home(const char* unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
+int config_parse_protect_system(const char* unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
  
  /* gperf prototypes */
  const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length);
  
  /* gperf prototypes */
  const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length);
diff --git a/src/core/namespace.c b/src/core/namespace.c

index 1f987a4b9d03ceb225434d2e7d2d2f2a5a3a63c1..080c086fd4a01e22e11e23fb8c5e333f43e16b5a 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -337,8 +337,8 @@ int setup_namespace(
                  char* tmp_dir,
                  char* var_tmp_dir,
                  bool private_dev,
                  char* tmp_dir,
                  char* var_tmp_dir,
                  bool private_dev,
-                ProtectedHome protected_home,
-                bool read_only_system,
+                ProtectHome protect_home,
+                ProtectSystem protect_system,
                  unsigned mount_flags) {
  
          BindMount *m, *mounts = NULL;
                  unsigned mount_flags) {
  
          BindMount *m, *mounts = NULL;
@@ -356,8 +356,9 @@ int setup_namespace(
                  strv_length(read_only_dirs) +
                  strv_length(inaccessible_dirs) +
                  private_dev +
                  strv_length(read_only_dirs) +
                  strv_length(inaccessible_dirs) +
                  private_dev +
-                (protected_home != PROTECTED_HOME_NO ? 2 : 0) +
-                (read_only_system ? 2 : 0);
+                (protect_home != PROTECT_HOME_NO ? 2 : 0) +
+                (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
+                (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
  
          if (n > 0) {
                  m = mounts = (BindMount *) alloca(n * sizeof(BindMount));
  
          if (n > 0) {
                  m = mounts = (BindMount *) alloca(n * sizeof(BindMount));
@@ -391,14 +392,14 @@ int setup_namespace(
                          m++;
                  }
  
                          m++;
                  }
  
-                if (protected_home != PROTECTED_HOME_NO) {
-                        r = append_mounts(&m, STRV_MAKE("-/home", "-/run/user"), protected_home == PROTECTED_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
+                if (protect_home != PROTECT_HOME_NO) {
+                        r = append_mounts(&m, STRV_MAKE("-/home", "-/run/user"), protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
                          if (r < 0)
                                  return r;
                  }
  
                          if (r < 0)
                                  return r;
                  }
  
-                if (read_only_system) {
-                        r = append_mounts(&m, STRV_MAKE("/usr", "-/boot"), READONLY);
+                if (protect_system != PROTECT_SYSTEM_NO) {
+                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc", "-/boot") : STRV_MAKE("/usr", "-/boot"), READONLY);
                          if (r < 0)
                                  return r;
                  }
                          if (r < 0)
                                  return r;
                  }
@@ -604,10 +605,18 @@ fail:
          return r;
  }
  
          return r;
  }
  
-static const char *const protected_home_table[_PROTECTED_HOME_MAX] = {
-        [PROTECTED_HOME_NO] = "no",
-        [PROTECTED_HOME_YES] = "yes",
-        [PROTECTED_HOME_READ_ONLY] = "read-only",
+static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
+        [PROTECT_HOME_NO] = "no",
+        [PROTECT_HOME_YES] = "yes",
+        [PROTECT_HOME_READ_ONLY] = "read-only",
  };
  
  };
  
-DEFINE_STRING_TABLE_LOOKUP(protected_home, ProtectedHome);
+DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome);
+
+static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = {
+        [PROTECT_SYSTEM_NO] = "no",
+        [PROTECT_SYSTEM_YES] = "yes",
+        [PROTECT_SYSTEM_FULL] = "full",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);
diff --git a/src/core/namespace.h b/src/core/namespace.h

index b985bdf5121c121d0c08245736aa51d6c006cda6..9343fe326420ee19e84fb2d5872551d03fddf5a8 100644 (file)
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -25,13 +25,21 @@
  
  #include "macro.h"
  
  
  #include "macro.h"
  
-typedef enum ProtectedHome {
-        PROTECTED_HOME_NO,
-        PROTECTED_HOME_YES,
-        PROTECTED_HOME_READ_ONLY,
-        _PROTECTED_HOME_MAX,
-        _PROTECTED_HOME_INVALID = -1
-} ProtectedHome;
+typedef enum ProtectHome {
+        PROTECT_HOME_NO,
+        PROTECT_HOME_YES,
+        PROTECT_HOME_READ_ONLY,
+        _PROTECT_HOME_MAX,
+        _PROTECT_HOME_INVALID = -1
+} ProtectHome;
+
+typedef enum ProtectSystem {
+        PROTECT_SYSTEM_NO,
+        PROTECT_SYSTEM_YES,
+        PROTECT_SYSTEM_FULL,
+        _PROTECT_SYSTEM_MAX,
+        _PROTECT_SYSTEM_INVALID = -1
+} ProtectSystem;
  
  int setup_namespace(char **read_write_dirs,
                      char **read_only_dirs,
  
  int setup_namespace(char **read_write_dirs,
                      char **read_only_dirs,
@@ -39,8 +47,8 @@ int setup_namespace(char **read_write_dirs,
                      char *tmp_dir,
                      char *var_tmp_dir,
                      bool private_dev,
                      char *tmp_dir,
                      char *var_tmp_dir,
                      bool private_dev,
-                    ProtectedHome protected_home,
-                    bool read_only_system,
+                    ProtectHome protect_home,
+                    ProtectSystem protect_system,
                      unsigned mount_flags);
  
  int setup_tmp_dirs(const char *id,
                      unsigned mount_flags);
  
  int setup_tmp_dirs(const char *id,
@@ -49,5 +57,8 @@ int setup_tmp_dirs(const char *id,
  
  int setup_netns(int netns_storage_socket[2]);
  
  
  int setup_netns(int netns_storage_socket[2]);
  
-const char* protected_home_to_string(ProtectedHome p) _const_;
-ProtectedHome protected_home_from_string(const char *s) _pure_;
+const char* protect_home_to_string(ProtectHome p) _const_;
+ProtectHome protect_home_from_string(const char *s) _pure_;
+
+const char* protect_system_to_string(ProtectSystem p) _const_;
+ProtectSystem protect_system_from_string(const char *s) _pure_;
diff --git a/src/test/test-ns.c b/src/test/test-ns.c

index 71581934cb91da721504d4245055245fe74156d7..acad725899aa5686b5d842c83f4e6c293886bc7b 100644 (file)
--- a/src/test/test-ns.c
+++ b/src/test/test-ns.c
@@ -60,8 +60,8 @@ int main(int argc, char *argv[]) {
                              tmp_dir,
                              var_tmp_dir,
                              true,
                              tmp_dir,
                              var_tmp_dir,
                              true,
-                            PROTECTED_HOME_NO,
-                            false,
+                            PROTECT_HOME_NO,
+                            PROTECT_SYSTEM_NO,
                              0);
          if (r < 0) {
                  log_error("Failed to setup namespace: %s", strerror(-r));
                              0);
          if (r < 0) {
                  log_error("Failed to setup namespace: %s", strerror(-r));
diff --git a/units/systemd-bus-proxyd@.service.in b/units/systemd-bus-proxyd@.service.in

index 3dc2cd9e65d2d1b76482c3e783b4c97f5a974d0f..0499269f3dbce71afe4c44488ac29f211591a448 100644 (file)
--- a/units/systemd-bus-proxyd@.service.in
+++ b/units/systemd-bus-proxyd@.service.in
@@ -18,5 +18,5 @@ CapabilityBoundingSet=CAP_IPC_OWNER CAP_SETUID CAP_SETGID CAP_SETPCAP
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
-ReadOnlySystem=yes
-ProtectedHome=yes
+ProtectSystem=full
+ProtectHome=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in

index 497b8d99744941148edca052bc979c477108c4bd..cc88ecd0db28b79958e3ea8952cc6319e0706206 100644 (file)
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -18,5 +18,5 @@ WatchdogSec=1min
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
-ReadOnlySystem=yes
-ProtectedHome=yes
+ProtectSystem=yes
+ProtectHome=yes
diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in

index 3695240cbf9f8c32215d3980d5e79586f3ea5bde..5bd8e4b34174edf3a025e7d48acd7e178ed82fca 100644 (file)
--- a/units/systemd-journal-gatewayd.service.in
+++ b/units/systemd-journal-gatewayd.service.in
@@ -17,8 +17,8 @@ SupplementaryGroups=systemd-journal
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
-ReadOnlySystem=yes
-ProtectedHome=yes
+ProtectSystem=full
+ProtectHome=yes
  
  [Install]
  Also=systemd-journal-gatewayd.socket
  
  [Install]
  Also=systemd-journal-gatewayd.socket
diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in

index 4a307c708bca43b5ada9e00fe1583242a16139df..70139795a5de660a316dc71be13910bc1c52d671 100644 (file)
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@@ -21,8 +21,6 @@ RestartSec=0
  NotifyAccess=all
  StandardOutput=null
  CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
  NotifyAccess=all
  StandardOutput=null
  CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE CAP_SYSLOG CAP_AUDIT_CONTROL CAP_CHOWN CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SETUID CAP_SETGID
-ReadOnlySystem=yes
-ProtectedHome=yes
  WatchdogSec=1min
  
  # Increase the default a bit in order to allow many simultaneous
  WatchdogSec=1min
  
  # Increase the default a bit in order to allow many simultaneous
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in

index e1792d6546eec8ee27f9ca988a72f73450b59e1a..bfa097844ff925304c4deabb48c88a74dbd02d4f 100644 (file)
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -18,5 +18,5 @@ WatchdogSec=1min
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
-ReadOnlySystem=yes
-ProtectedHome=yes
+ProtectSystem=yes
+ProtectHome=yes
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in

index 07522e12a468edb9869389270fc371ac41c5ae76..e60ea32fa0a4ebe4f7fa44f091315b88123928a1 100644 (file)
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -20,5 +20,5 @@ WatchdogSec=1min
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
  PrivateTmp=yes
  PrivateDevices=yes
  PrivateNetwork=yes
-ReadOnlySystem=yes
-ProtectedHome=yes
+PortectSystem=full
+ProtectHome=yes
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in

index a928999205ddd356726e4675bd3d51328c268658..373ac4e0fd1905eea4fa7ed6e531eeaa04b64649 100644 (file)
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -20,8 +20,8 @@ Restart=always
  RestartSec=0
  ExecStart=@rootlibexecdir@/systemd-networkd
  CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
  RestartSec=0
  ExecStart=@rootlibexecdir@/systemd-networkd
  CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
-ReadOnlySystem=yes
-ProtectedHome=yes
+ProtectSystem=full
+ProtectHome=yes
  WatchdogSec=1min
  
  [Install]
  WatchdogSec=1min
  
  [Install]
diff --git a/units/systemd-resolved.service.in b/units/systemd-resolved.service.in

index 787fde2c44ff8c4094e6e2223ae626290df2a06b..01336216221c298ae9d0fda648553e249ed7a9c3 100644 (file)
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@@ -16,8 +16,8 @@ Restart=always
  RestartSec=0
  ExecStart=@rootlibexecdir@/systemd-resolved
  CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
  RestartSec=0
  ExecStart=@rootlibexecdir@/systemd-resolved
  CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
-ReadOnlySystem=yes
-ProtectedHome=yes
+ProtectSystem=full
+ProtectHome=yes
  
  [Install]
  WantedBy=multi-user.target
  
  [Install]
  WantedBy=multi-user.target
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in

index 9658149eefc630d2ae8af6bb190d27376170aa18..fe5ccb4601110205e730f46756a093b63576fef5 100644 (file)
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -16,5 +16,5 @@ BusName=org.freedesktop.timedate1
  CapabilityBoundingSet=CAP_SYS_TIME
  WatchdogSec=1min
  PrivateTmp=yes
  CapabilityBoundingSet=CAP_SYS_TIME
  WatchdogSec=1min
  PrivateTmp=yes
-ReadOnlySystem=yes
-ProtectedHome=yes
+ProtectSystem=yes
+ProtectHome=yes
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in

index 030e4a0423d16b4b2f1f18704493d31576e9852d..8d898e2fa767a0f687b865d6a768061df44107c0 100644 (file)
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -23,8 +23,8 @@ ExecStart=@rootlibexecdir@/systemd-timesyncd
  CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
  PrivateTmp=yes
  PrivateDevices=yes
  CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
  PrivateTmp=yes
  PrivateDevices=yes
-ReadOnlySystem=yes
-ProtectedHome=yes
+ProtectSystem=full
+ProtectHome=yes
  WatchdogSec=1min
  
  [Install]
  WatchdogSec=1min
  
  [Install]
author	Lennart Poettering <lennart@poettering.net>
	Wed, 4 Jun 2014 16:07:55 +0000 (18:07 +0200)
committer	Lennart Poettering <lennart@poettering.net>
	Wed, 4 Jun 2014 16:12:55 +0000 (18:12 +0200)
man/systemd.exec.xml		patch \| blob \| history
src/core/dbus-execute.c		patch \| blob \| history
src/core/execute.c		patch \| blob \| history
src/core/execute.h		patch \| blob \| history
src/core/load-fragment-gperf.gperf.m4		patch \| blob \| history
src/core/load-fragment.c		patch \| blob \| history
src/core/load-fragment.h		patch \| blob \| history
src/core/namespace.c		patch \| blob \| history
src/core/namespace.h		patch \| blob \| history
src/test/test-ns.c		patch \| blob \| history
units/systemd-bus-proxyd@.service.in		patch \| blob \| history
units/systemd-hostnamed.service.in		patch \| blob \| history
units/systemd-journal-gatewayd.service.in		patch \| blob \| history
units/systemd-journald.service.in		patch \| blob \| history
units/systemd-localed.service.in		patch \| blob \| history
units/systemd-machined.service.in		patch \| blob \| history
units/systemd-networkd.service.in		patch \| blob \| history
units/systemd-resolved.service.in		patch \| blob \| history
units/systemd-timedated.service.in		patch \| blob \| history
units/systemd-timesyncd.service.in		patch \| blob \| history