[systemd-commits] 3 commits - TODO man/systemd.exec.xml src/timesync

[Lennart Poettering]

 TODO                     |    8 ++++++++
 man/systemd.exec.xml     |   11 ++++++-----
 src/timesync/timesyncd.c |    4 ++++
 3 files changed, 18 insertions(+), 5 deletions(-)

New commits:
commit 687f6a0ba77872299b9fb1f2f04d31c977088a63
Author: Lennart Poettering <lennart at poettering.net>
Date:   Tue Jan 27 02:36:40 2015 +0100

    update TODO

diff --git a/TODO b/TODO
index a248e81..c87469a 100644
--- a/TODO
+++ b/TODO
@@ -31,6 +31,14 @@ External:
 
 Features:
 
+* When RLIMIT_NPROC is set from a unit file it currently always is set
+  for root, not for the user set in User=, which makes it
+  useless. After fixing this, set RLIMIT_NPROC for
+  systemd-journal-xyz, and all other of our services that run under
+  their own user ids, and use User= (but only in a world where userns
+  is ubiquitous since otherwise we cannot invoke those daemons on the
+  host AND in a container anymore).
+
 * logind: maybe allow configuration of the StopTimeout for session scopes
 
 * Set NoNewPriviliges= on all of our own services, where that makes sense

commit 7e26029ff36d6112bd8c3273327c97708f9ee61e
Author: Lennart Poettering <lennart at poettering.net>
Date:   Tue Jan 27 02:33:46 2015 +0100

    timesyncd: set RLIMIT_NPROC to 2
    
    This way timesyncd cannot be used to fork().
    
    Note that it generally is not safe to use RLIMIT_NPROC, since it breaks
    running the same daemon in multiple containers if they do not use user
    namespacing. However, timesyncd is excepted from running in a container
    anyway, hence it is safe in this case.

diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
index f7e089f..2a73dac 100644
--- a/src/timesync/timesyncd.c
+++ b/src/timesync/timesyncd.c
@@ -113,6 +113,10 @@ int main(int argc, char *argv[]) {
         if (r < 0)
                 goto finish;
 
+        /* We need one process for ourselves, plus one thread for the asynchronous resolver */
+        if (setrlimit(RLIMIT_NPROC, &RLIMIT_MAKE_CONST(2)) < 0)
+                log_warning_errno(errno, "Failed to lower RLIMIT_NPROC to 2: %m");
+
         assert_se(sigprocmask_many(SIG_BLOCK, SIGTERM, SIGINT, -1) == 0);
 
         r = manager_new(&m);

commit c51cbfdcc7f38438553e4c2c60499f6aea7cc504
Author: Lennart Poettering <lennart at poettering.net>
Date:   Tue Jan 27 02:19:33 2015 +0100

    man: document that ProtectSystem= also covers /boot

diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index b338899..cbaec9f 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -1064,13 +1064,14 @@
                                 argument or
                                 <literal>full</literal>. If true,
                                 mounts the <filename>/usr</filename>
-                                directory read-only for processes
+                                and <filename>/boot</filename>
+                                directories read-only for processes
                                 invoked by this unit. If set to
                                 <literal>full</literal>, the
-                                <filename>/etc</filename> directory is mounted
-                                read-only, too. This setting ensures
-                                that any modification of the vendor
-                                supplied operating system (and
+                                <filename>/etc</filename> directory is
+                                mounted read-only, too. This setting
+                                ensures that any modification of the
+                                vendor supplied operating system (and
                                 optionally its configuration) is
                                 prohibited for the service. It is
                                 recommended to enable this setting for