summaryrefslogtreecommitdiffstats
path: root/units/systemd-importd.service.in (follow)
Commit message (Collapse)AuthorAgeFilesLines
* units: switch from system call blacklist to whitelistLennart Poettering2018-06-141-1/+2
| | | | | | | | | | | | | | | | | | | | | This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything.
* Add SPDX license headers to unit filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+2
|
* units: set LockPersonality= for all our long-running services (#6819)Lennart Poettering2017-09-141-0/+1
| | | | Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
* units: use https for the freedesktop url (#6227)AsciiWolf2017-06-291-1/+1
|
* units: make use of @reboot and @swap in our long-running service ↵Lennart Poettering2017-02-091-1/+1
| | | | | | SystemCallFilter= settings Tighten security up a bit more.
* units: restrict namespace for a good number of our own servicesLennart Poettering2017-02-091-0/+1
| | | | | | | | Basically, we turn it on for most long-running services, with the exception of machined (whose child processes need to join containers here and there), and importd (which sandboxes tar in a CLONE_NEWNET namespace). machined is left unrestricted, and importd is restricted to use only "net"
* units: set SystemCallArchitectures=native on all our long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: further lock down our long-running servicesLennart Poettering2016-09-251-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
* units: permit importd to mount stuffLennart Poettering2016-09-251-1/+1
| | | | Fixes #3996
* units: tighten system call filters a bitLennart Poettering2016-06-131-1/+1
| | | | | Take away kernel keyring access, CPU emulation system calls and various debug system calls from the various daemons we have.
* units: add a basic SystemCallFilter (#3471)Topi Miettinen2016-06-091-0/+1
| | | | | | | Add a line SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace for daemons shipped by systemd. As an exception, systemd-timesyncd needs @clock system calls and systemd-localed is not privileged. ptrace(2) is blocked to prevent seccomp escapes.
* units: enable MemoryDenyWriteExecute (#3459)Topi Miettinen2016-06-081-0/+1
| | | | | Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute. Closes: #3459
* man: link some unit files to their online bus API documentationLennart Poettering2016-02-231-0/+1
|
* units: increase watchdog timeout to 3min for all our servicesLennart Poettering2015-09-291-1/+1
| | | | | | | | Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
* units: set KillMode=mixed for our daemons that fork worker processesLennart Poettering2015-04-241-0/+1
| | | | | | | The daemons should really have the time to kill the workers first, before systemd does it, hence use KillMode=mixed for these daemons. https://bugs.freedesktop.org/show_bug.cgi?id=90051
* importd: add CAP_DAC_OVERRIDE capabilityLubomir Rintel2015-04-211-1/+1
| | | | | | | | | | | Fedora's filesystem package ships /usr/bin (and other directories) which are not writable by its owner. machinectl pull-dkr (and possibly others) are not able to extract those: 14182 mkdirat(3, "usr", 0700) = 0 14182 mkdirat(3, "usr/bin", 0500) = 0 14182 openat(3, "usr/bin/[", O_WRONLY|O_CREAT|O_EXCL|O_NOCTTY|O_NONBLOCK|O_CLOEXEC, 0700) = -1 EACCES (Permission denied) ...
* importd: create a loopback btrfs file system for /var/lib/machines, if necessaryLennart Poettering2015-02-241-3/+0
| | | | | | | | | | | | | | | | | When manipulating container and VM images we need efficient and atomic directory snapshots and file copies, as well as disk quota. btrfs provides this, legacy file systems do not. Hence, implicitly create a loopback file system in /var/lib/machines.raw and mount it to /var/lib/machines, if that directory is not on btrfs anyway. This is done implicitly and transparently the first time the user invokes "machinectl import-xyz". This allows us to take benefit of btrfs features for container management without actually having the rest of the system use btrfs. The loopback is sized 500M initially. Patches to grow it dynamically are to follow.
* Revert "units: add SecureBits"Lennart Poettering2015-02-111-1/+0
| | | | | | | | This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
* units: add SecureBitsTopi Miettinen2015-02-111-0/+1
| | | | | | No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
* importd: run daemon at minimal capabilitiesLennart Poettering2015-01-221-1/+2
|
* import: introduce new mini-daemon systemd-importd, and make machinectl a ↵Lennart Poettering2015-01-221-0/+19
client to it The old "systemd-import" binary is now an internal tool. We still use it as asynchronous backend for systemd-importd. Since the import tool might require some IO and CPU resources (due to qcow2 explosion, and decompression), and because we might want to run it with more minimal priviliges we still keep it around as the worker binary to execute as child process of importd. machinectl now has verbs for pulling down images, cancelling them and listing them.