Commit Graph

132 Commits

Author SHA1 Message Date
Lennart Poettering
c51cbfdcc7 man: document that ProtectSystem= also covers /boot 2015-01-27 02:19:33 +01:00
Ronny Chevalier
6067b34a1f man: document that we set both soft and hard limits for Limit directives
See
http://cgit.freedesktop.org/systemd/systemd/tree/src/core/load-fragment.c#n1100
2014-11-30 20:45:01 +01:00
Ronny Chevalier
536256fc91 man: fix typos 2014-11-30 20:20:59 +01:00
Ronny Chevalier
b8825fff7b man: document equivalence between Limit directives and ulimit
See https://bugs.freedesktop.org/show_bug.cgi?id=80341
2014-11-30 20:17:00 +01:00
WaLyong Cho
2ca620c4ed smack: introduce new SmackProcessLabel option
In service file, if the file has some of special SMACK label in
ExecStart= and systemd has no permission for the special SMACK label
then permission error will occurred. To resolve this, systemd should
be able to set its SMACK label to something accessible of ExecStart=.
So introduce new SmackProcessLabel. If label is specified with
SmackProcessLabel= then the child systemd will set its label to
that. To successfully execute the ExecStart=, accessible label should
be specified with SmackProcessLabel=.
Additionally, by SMACK policy, if the file in ExecStart= has no
SMACK64EXEC then the executed process will have given label by
SmackProcessLabel=. But if the file has SMACK64EXEC then the
SMACK64EXEC label will be overridden.

[zj: reword man page]
2014-11-24 10:20:53 -05:00
Lennart Poettering
2134b5ef6b man: SyslogIdentifier= has an effect on journal logging too 2014-10-09 11:37:01 +02:00
Zbigniew Jędrzejewski-Szmek
e060073a8f man: say that SecureBits= are space separated 2014-10-03 21:06:52 -04:00
Michael Biebl
67826132ad man: fix references to systemctl man page which is now in section 1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760613
2014-09-06 13:45:18 +02:00
Ruben Kerkhof
06b643e7f5 Fix a few more typos 2014-08-30 13:46:07 -04:00
Ronny Chevalier
8257df2767 man: fix typo 2014-08-18 21:02:07 +02:00
Lennart Poettering
79c1afc67f man: improve documentation for StandardOutput= and StandardInput= 2014-08-11 19:29:25 +02:00
Ansgar Burchardt
ef392da6c5 Correct references to ProtectSystem and ProtectHome in documentation 2014-08-04 09:27:20 -04:00
Zbigniew Jędrzejewski-Szmek
8e8ba962c7 man: proper link for dmesg 2014-07-10 22:52:23 -04:00
Zbigniew Jędrzejewski-Szmek
5aded36978 man: add a mapping for external manpages
It is annoying when we have dead links on fd.o.

Add project='man-pages|die-net|archlinux' to <citerefentry>-ies.

In generated html, add external links to
http://man7.org/linux/man-pages/man, http://linux.die.net/man/,
https://www.archlinux.org/.

By default, pages in sections 2 and 4 go to man7, since Michael
Kerrisk is the autorative source on kernel related stuff.

The rest of links goes to linux.die.net, because they have the
manpages.

Except for the pacman stuff, since it seems to be only available from
archlinux.org.

Poor gummiboot gets no link, because gummitboot(8) ain't to be found
on the net. According to common wisdom, that would mean that it does
not exist. But I have seen Kay using it, so I know it does, and
deserves to be found. Can somebody be nice and put it up somewhere?
2014-07-07 18:36:55 -04:00
Jan Engelhardt
8d0e0ddda6 doc: grammatical corrections 2014-06-28 00:06:30 -04:00
Lennart Poettering
d6797c920e namespace: beef up read-only bind mount logic
Instead of blindly creating another bind mount for read-only mounts,
check if there's already one we can use, and if so, use it. Also,
recursively mark all submounts read-only too. Also, ignore autofs mounts
when remounting read-only unless they are already triggered.
2014-06-06 14:37:40 +02:00
Lennart Poettering
5331194c12 core: don't include /boot in effect of ProtectSystem=
This would otherwise unconditionally trigger any /boot autofs mount,
which we probably should avoid.

ProtectSystem= will now only cover /usr and (optionally) /etc, both of
which cannot be autofs anyway.

ProtectHome will continue to cover /run/user and /home. The former
cannot be autofs either. /home could be, however is frequently enough
used (unlikey /boot) so that it isn't too problematic to simply trigger
it unconditionally via ProtectHome=.
2014-06-05 10:03:26 +02:00
Lennart Poettering
1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
2014-06-04 18:12:55 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
2014-06-03 23:57:51 +02:00
Nis Martensen
f1721625e7 fix spelling of privilege 2014-05-19 00:40:44 +09:00
Jan Engelhardt
b8bde11658 doc: comma placement corrections and word order
Set commas where there should be some.
Some improvements to word order.
2014-05-07 20:13:27 -04:00
Jan Engelhardt
dca348bcbb doc: corrections to words and forms
This patch exchange words which are inappropriate for a situation,
deletes duplicated words, and adds particles where needed.
2014-05-07 20:13:26 -04:00
Jan Engelhardt
70a44afee3 doc: typographical fine tuning 2014-05-06 23:05:39 +02:00
Lennart Poettering
905826156d man: be more specific when EnvironmentFile= is read
http://lists.freedesktop.org/archives/systemd-devel/2014-March/018004.html
2014-03-25 00:26:09 +01:00
Lennart Poettering
7f8aa67131 core: remove tcpwrap support
tcpwrap is legacy code, that is barely maintained upstream. It's APIs
are awful, and the feature set it exposes (such as DNS and IDENT
access control) questionnable. We should not support this natively in
systemd.

Hence, let's remove the code. If people want to continue making use of
this, they can do so by plugging in "tcpd" for the processes they start.
With that scheme things are as well or badly supported as they were from
traditional inetd, hence no functionality is really lost.
2014-03-24 20:07:42 +01:00
Lennart Poettering
c2c13f2df4 unit: turn off mount propagation for udevd
Keep mounts done by udev rules private to udevd. Also, document how
MountFlags= may be used for this.
2014-03-20 04:16:39 +01:00
Lennart Poettering
907afa0682 man: improve documentation of fs namespace related settings 2014-03-19 22:26:08 +01:00
Lennart Poettering
f1660f96f5 core: drop CAP_MKNOD when PrivateDevices= is set 2014-03-18 17:58:19 +01:00
Lennart Poettering
e66cf1a3f9 core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings
As discussed on the ML these are useful to manage runtime directories
below /run for services.
2014-03-03 17:55:32 +01:00
Lennart Poettering
f513e420c8 exec: imply NoNewPriviliges= only when seccomp filters are used in user mode 2014-02-26 02:28:52 +01:00
Lennart Poettering
4298d0b512 core: add new RestrictAddressFamilies= switch
This new unit settings allows restricting which address families are
available to processes. This is an effective way to minimize the attack
surface of services, by turning off entire network stacks for them.

This is based on seccomp, and does not work on x86-32, since seccomp
cannot filter socketcall() syscalls on that platform.
2014-02-26 02:19:28 +01:00
Michael Scherer
eef65bf3ee core: Add AppArmor profile switching
This permit to switch to a specific apparmor profile when starting a daemon. This
will result in a non operation if apparmor is disabled.
It also add a new build requirement on libapparmor for using this feature.
2014-02-21 03:44:20 +01:00
Lennart Poettering
b67f562c9c man: document $MAINPID 2014-02-19 03:27:03 +01:00
Lennart Poettering
ac45f971a1 core: add Personality= option for units to set the personality for spawned processes 2014-02-19 03:27:03 +01:00
Lennart Poettering
e9642be2cc seccomp: add helper call to add all secondary archs to a seccomp filter
And make use of it where appropriate for executing services and for
nspawn.
2014-02-18 22:14:00 +01:00
Jan Engelhardt
66f756d437 doc: resolve missing/extraneous words or inappropriate forms
Issues fixed:
* missing words required by grammar
* duplicated or extraneous words
* inappropriate forms (e.g. singular/plural), and declinations
* orthographic misspellings
2014-02-17 19:03:07 -05:00
Jan Engelhardt
73e231abde doc: update punctuation
Resolve spotted issues related to missing or extraneous commas, dashes.
2014-02-17 19:03:07 -05:00
Zbigniew Jędrzejewski-Szmek
6db2742802 man: replace STDOUT with standard output, etc.
Actually 'STDOUT' is something that doesn't appear anywhere: in the
stdlib we have 'stdin', and there's only the constant STDOUT_FILENO,
so there's no reason to use capitals. When refering to code,
STDOUT/STDOUT/STDERR are replaced with stdin/stdout/stderr, and in
other places they are replaced with normal phrases like standard
output, etc.
2014-02-14 22:03:40 -05:00
Jason St. John
bcddd5bf80 man: fix grammatical errors and other formatting issues
* standardize capitalization of STDIN, STDOUT, and STDERR
* reword some sentences for clarity
* reflow some very long lines to be shorter than ~80 characters
* add some missing <literal>, <constant>, <varname>, <option>, and <filename> tags
2014-02-14 22:03:40 -05:00
Lennart Poettering
57183d117a core: add SystemCallArchitectures= unit setting to allow disabling of non-native
architecture support for system calls

Also, turn system call filter bus properties into complex types instead
of concatenated strings.
2014-02-13 00:24:00 +01:00
Lennart Poettering
17df7223be core: rework syscall filter
- Allow configuration of an errno error to return from blacklisted
  syscalls, instead of immediately terminating a process.

- Fix parsing logic when libseccomp support is turned off

- Only keep the actual syscall set in the ExecContext, and generate the
  string version only on demand.
2014-02-12 18:30:36 +01:00
Ronny Chevalier
c0467cf387 syscallfilter: port to libseccomp 2014-02-12 18:30:36 +01:00
Lennart Poettering
82adf6af7c nspawn,man: use a common vocabulary when referring to selinux security contexts
Let's always call the security labels the same way:

  SMACK: "Smack Label"
  SELINUX: "SELinux Security Context"

And the low-level encapsulation is called "seclabel". Now let's hope we
stick to this vocabulary in future, too, and don't mix "label"s and
"security contexts" and so on wildly.
2014-02-10 13:18:16 +01:00
Michael Scherer
0d3f7bb3a5 exec: Add support for ignoring errors on SELinuxContext by prefixing it with -, like for others settings.
Also remove call to security_check_context, as this doesn't serve anything, since
setexeccon will fail anyway.
2014-02-10 13:18:16 +01:00
Michael Scherer
7b52a628f8 exec: Add SELinuxContext configuration item
This permit to let system administrators decide of the domain of a service.
This can be used with templated units to have each service in a différent
domain ( for example, a per customer database, using MLS or anything ),
or can be used to force a non selinux enabled system (jvm, erlang, etc)
to start in a different domain for each service.
2014-02-10 13:18:16 +01:00
Lennart Poettering
7f112f50fe exec: introduce PrivateDevices= switch to provide services with a private /dev
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that
sets up a private /dev with only the API pseudo-devices like /dev/null,
/dev/zero, /dev/random, but not any physical devices in them.
2014-01-20 21:28:37 +01:00
Zbigniew Jędrzejewski-Szmek
c5b37953b7 man: mention which variables will be expanded in ExecStart 2014-01-09 22:23:42 -05:00
Jan Engelhardt
e0e009c067 man: grammar and wording improvements
This is a recurring submission and includes corrections to:
- missing words, preposition choice.
- change of /lib to /usr/lib, because that is what most distros are
  using as the system-wide location for systemd/udev files.
2013-12-25 22:53:46 -05:00
Jan Engelhardt
b040723ea4 man: improvements to comma placement
This is a recurring submission and includes corrections to:
comma placement.
2013-12-25 22:53:46 -05:00
Lennart Poettering
613b411c94 service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces 2013-11-27 20:28:48 +01:00