diff options
author | Lennart Poettering <lennart@poettering.net> | 2014-06-03 23:41:44 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2014-06-03 23:57:51 +0200 |
commit | 417116f23432073162ebfcb286a7800846482eed (patch) | |
tree | 8e6076d15760c8079deb32eff461e0cc3168fa61 /src/test/test-ns.c | |
parent | networkd: split runtime config dir from state dir (diff) | |
download | systemd-417116f23432073162ebfcb286a7800846482eed.tar.xz systemd-417116f23432073162ebfcb286a7800846482eed.zip |
core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.
ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.
This patch also enables these settings for all our long-running services.
Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
Diffstat (limited to 'src/test/test-ns.c')
-rw-r--r-- | src/test/test-ns.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/src/test/test-ns.c b/src/test/test-ns.c index ad0d0419c4..71581934cb 100644 --- a/src/test/test-ns.c +++ b/src/test/test-ns.c @@ -60,6 +60,8 @@ int main(int argc, char *argv[]) { tmp_dir, var_tmp_dir, true, + PROTECTED_HOME_NO, + false, 0); if (r < 0) { log_error("Failed to setup namespace: %s", strerror(-r)); |