diff options
author | Djalal Harouni <tixxdz@opendz.org> | 2016-10-12 14:11:16 +0200 |
---|---|---|
committer | Djalal Harouni <tixxdz@opendz.org> | 2016-10-12 14:11:16 +0200 |
commit | c575770b75b6cd15684fbacd249147bf5fd6ead7 (patch) | |
tree | 1dbde008e50d9ab2780168dd26ead86a762959dc /src/test | |
parent | doc: minor hint about InaccessiblePaths= in regard of ProtectKernelTunables= (diff) | |
download | systemd-c575770b75b6cd15684fbacd249147bf5fd6ead7.tar.xz systemd-c575770b75b6cd15684fbacd249147bf5fd6ead7.zip |
core:sandbox: lets make /lib/modules/ inaccessible on ProtectKernelModules=
Lets go further and make /lib/modules/ inaccessible for services that do
not have business with modules, this is a minor improvment but it may
help on setups with custom modules and they are limited... in regard of
kernel auto-load feature.
This change introduce NameSpaceInfo struct which we may embed later
inside ExecContext but for now lets just reduce the argument number to
setup_namespace() and merge ProtectKernelModules feature.
Diffstat (limited to '')
-rw-r--r-- | src/test/test-ns.c | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/src/test/test-ns.c b/src/test/test-ns.c index c4d4da6d05..da7a8b0565 100644 --- a/src/test/test-ns.c +++ b/src/test/test-ns.c @@ -45,6 +45,14 @@ int main(int argc, char *argv[]) { "/home/lennart/projects", NULL }; + + static const NameSpaceInfo ns_info = { + .private_dev = true, + .protect_control_groups = true, + .protect_kernel_tunables = true, + .protect_kernel_modules = true, + }; + char *root_directory; char *projects_directory; int r; @@ -69,14 +77,12 @@ int main(int argc, char *argv[]) { log_info("Not chrooted"); r = setup_namespace(root_directory, + &ns_info, (char **) writable, (char **) readonly, (char **) inaccessible, tmp_dir, var_tmp_dir, - true, - true, - true, PROTECT_HOME_NO, PROTECT_SYSTEM_NO, 0); |