diff options
| author | Lennart Poettering <lennart@poettering.net> | 2014-06-03 23:41:44 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2014-06-03 23:57:51 +0200 |
| commit | 417116f23432073162ebfcb286a7800846482eed (patch) | |
| tree | 8e6076d15760c8079deb32eff461e0cc3168fa61 /units/systemd-localed.service.in | |
| parent | 85b5673b337048fa881a5afb1d00d1a7b95950fb (diff) | |
| download | systemd-417116f23432073162ebfcb286a7800846482eed.tar.gz | |
core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
Diffstat (limited to 'units/systemd-localed.service.in')
| -rw-r--r-- | units/systemd-localed.service.in | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index ae1c5e59d1..e1792d6546 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -18,3 +18,5 @@ WatchdogSec=1min PrivateTmp=yes PrivateDevices=yes PrivateNetwork=yes +ReadOnlySystem=yes +ProtectedHome=yes |