summaryrefslogtreecommitdiffstats
path: root/src/test/test-ns.c
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2014-06-03 23:41:44 +0200
committerLennart Poettering <lennart@poettering.net>2014-06-03 23:57:51 +0200
commit417116f23432073162ebfcb286a7800846482eed (patch)
tree8e6076d15760c8079deb32eff461e0cc3168fa61 /src/test/test-ns.c
parentnetworkd: split runtime config dir from state dir (diff)
downloadsystemd-417116f23432073162ebfcb286a7800846482eed.tar.xz
systemd-417116f23432073162ebfcb286a7800846482eed.zip
core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
Diffstat (limited to 'src/test/test-ns.c')
-rw-r--r--src/test/test-ns.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/test/test-ns.c b/src/test/test-ns.c
index ad0d0419c4..71581934cb 100644
--- a/src/test/test-ns.c
+++ b/src/test/test-ns.c
@@ -60,6 +60,8 @@ int main(int argc, char *argv[]) {
tmp_dir,
var_tmp_dir,
true,
+ PROTECTED_HOME_NO,
+ false,
0);
if (r < 0) {
log_error("Failed to setup namespace: %s", strerror(-r));