diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-06-15 11:34:44 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-06-15 11:34:44 +0200 |
| commit | 88f375b8c28806633d22ed99f6a5f1194c78ed73 (patch) | |
| tree | b099969654543306cddd793753d1b41311be374c /NEWS | |
| parent | 1e8c7bd55c288869d69aed3b943d3d970c3a98ae (diff) | |
| parent | e01d9e2193ad4699a0507fc631613b5666d4d897 (diff) | |
| download | systemd-88f375b8c28806633d22ed99f6a5f1194c78ed73.tar.gz | |
Merge pull request #8766 from poettering/syscall-filter-service
add a new `@system-service` syscall group that is good as a starting point for whitelisting syscalls
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 9 |
1 files changed, 9 insertions, 0 deletions
@@ -59,6 +59,15 @@ CHANGES WITH 239 in spe: both runtime and persistent enablement/masking, i.e. it will remove any relevant symlinks both in /run and /etc. + * Note that all long-running system services shipped with systemd will + now default to a system call whitelist (rather than a blacklist, as + before). In particular, systemd-udevd will now enforce one too. For + most cases this should be safe, however downstream distributions + which disabled sandboxing of systemd-udevd (specifically the + MountFlags= setting), might want to disable this security feature + too, as the default whitelisting will prohibit all mount, swap, + reboot and clock changing operations from udev rules. + * sd-boot acquired new loader configuration settings to optionally turn off Windows and MacOS boot partition discovery as well as reboot-into-firmware menu items. It is also able to pick a better |