[systemd-commits] man/systemd.exec.xml src/core
Lennart Poettering
lennart at kemper.freedesktop.org
Thu Jun 5 01:05:28 PDT 2014
man/systemd.exec.xml | 3 +--
src/core/namespace.c | 4 ++--
2 files changed, 3 insertions(+), 4 deletions(-)
New commits:
commit 5331194c120520579eede9dba4bd9c3329629601
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Jun 5 10:03:26 2014 +0200
core: don't include /boot in effect of ProtectSystem=
This would otherwise unconditionally trigger any /boot autofs mount,
which we probably should avoid.
ProtectSystem= will now only cover /usr and (optionally) /etc, both of
which cannot be autofs anyway.
ProtectHome will continue to cover /run/user and /home. The former
cannot be autofs either. /home could be, however is frequently enough
used (unlikey /boot) so that it isn't too problematic to simply trigger
it unconditionally via ProtectHome=.
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index d426ac0..c5bb55c 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -941,8 +941,7 @@
argument or
<literal>full</literal>. If true,
mounts the <filename>/usr</filename>
- and <filename>/boot</filename>
- directories read-only for processes
+ directory read-only for processes
invoked by this unit. If set to
<literal>full</literal> the
<filename>/etc</filename> is mounted
diff --git a/src/core/namespace.c b/src/core/namespace.c
index 080c086..b6deab7 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -357,7 +357,7 @@ int setup_namespace(
strv_length(inaccessible_dirs) +
private_dev +
(protect_home != PROTECT_HOME_NO ? 2 : 0) +
- (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
+ (protect_system != PROTECT_SYSTEM_NO ? 1 : 0) +
(protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
if (n > 0) {
@@ -399,7 +399,7 @@ int setup_namespace(
}
if (protect_system != PROTECT_SYSTEM_NO) {
- r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc", "-/boot") : STRV_MAKE("/usr", "-/boot"), READONLY);
+ r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc") : STRV_MAKE("/usr"), READONLY);
if (r < 0)
return r;
}
More information about the systemd-commits
mailing list