summaryrefslogtreecommitdiff
path: root/TODO
diff options
context:
space:
mode:
Diffstat (limited to 'TODO')
-rw-r--r--TODO28
1 files changed, 9 insertions, 19 deletions
diff --git a/TODO b/TODO
index 14431d3a3b..0b2c2436fa 100644
--- a/TODO
+++ b/TODO
@@ -81,18 +81,19 @@ Janitorial Clean-ups:
Features:
+* systemd-dissect: show GPT disk UUID in output
+
+* Enable RestricFileSystems= for all our long-running services (similar:
+ RestrictNetworkInterfaces=)
+
+* Add systemd-analyze security checks for RestrictFileSystems= and
+ RestrictNetworkInterfaces=
+
* cryptsetup/homed: implement TOTP authentication backed by TPM2 and its
internal clock.
-* resolved: listen on 127.0.0.54 in addition to 127.0.0.53 and operate in proxy
- mode there unconditionally.
-
* nspawn: optionally set up nftables/iptables routes that forward UDP/TCP
- traffic on port 53 to resolved stub.
-
-* extend src/basic/filesystems.[ch] so that it can be used to translate any fs
- magic into a string. Then use that to replace fstype_magic_to_name() in homed
- sources, and similar code.
+ traffic on port 53 to resolved stub 127.0.0.54
* man: rework os-release(5), and clearly separate our extension-release.d/ and
initrd-release parts, i.e. list explicitly which fields are about what.
@@ -329,9 +330,6 @@ Features:
* cryptsetup: optionally, when run during boot-up and password is never
entered, and we are on battery power (or so), power off machine again
-* cryptsetup: when FIDO2/PKCS#11/TPM2 token/chip didn't show up after some
- time, abort the attempt, fallback to asking for pw
-
* cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and
allow plymouth to abort the waiting and enter pw instead
@@ -388,8 +386,6 @@ Features:
* pid1: support new clone3() fork-into-cgroup feature
-* pid1: support new cgroup.kill to terminate all processes in a cgroup
-
* pid1: also remove PID files of a service when the service starts, not just
when it exits
@@ -431,9 +427,6 @@ Features:
for "hibernate" partitions, that are exactly like swap partitions but only
activated right before hibernation and thus never used for regular swapping.
-* by default, in systemd --user service bump the OOMAdjust to 100, as privs
- allow so that systemd survives
-
* socket units: allow creating a udev monitor socket with ListenDevices= or so,
with matches, then activate app through that passing socket over
@@ -1459,9 +1452,6 @@ Features:
- optionally automatically add FORWARD rules to iptables whenever nspawn is
running, remove them when shut down.
-* nspawn: make --bind= work sanely with --private-users when uid mapping mounts
- are used.
-
* nspawn: add support for sysext extensions, too. i.e. a new --extension=
switch that takes one or more arguments, and applies the extensions already
during startup.