diff options
Diffstat (limited to 'units')
| -rw-r--r-- | units/container-getty@.service.m4.in | 4 | ||||
| -rw-r--r-- | units/getty@.service.m4 | 4 | ||||
| -rw-r--r-- | units/meson.build | 20 | ||||
| -rw-r--r-- | units/serial-getty@.service.m4 | 4 | ||||
| -rw-r--r-- | units/sysinit.target | 13 | ||||
| -rw-r--r-- | units/systemd-coredump@.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-hostnamed.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-journal-gatewayd.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-journald.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-localed.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-logind.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-machined.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-timedated.service.in | 1 | ||||
| -rw-r--r-- | units/systemd-udevd.service.in | 1 |
14 files changed, 28 insertions, 26 deletions
diff --git a/units/container-getty@.service.m4.in b/units/container-getty@.service.m4.in index 3d287b9491..4b822f0e3b 100644 --- a/units/container-getty@.service.m4.in +++ b/units/container-getty@.service.m4.in @@ -19,8 +19,8 @@ ConditionPathExists=/dev/pts/%I # IgnoreOnIsolate is an issue: when someone isolates rescue.target, # tradition expects that we shut down all but the main console. -Conflicts=rescue.service emergency.service -Before=rescue.service emergency.service +Conflicts=rescue.service +Before=rescue.service [Service] # The '-o' option value tells agetty to replace 'login' arguments with an diff --git a/units/getty@.service.m4 b/units/getty@.service.m4 index c2665e3f6b..ff1b3c3d87 100644 --- a/units/getty@.service.m4 +++ b/units/getty@.service.m4 @@ -23,8 +23,8 @@ IgnoreOnIsolate=yes # IgnoreOnIsolate causes issues with sulogin, if someone isolates # rescue.target or starts rescue.service from multi-user.target or # graphical.target. -Conflicts=rescue.service emergency.service -Before=rescue.service emergency.service +Conflicts=rescue.service +Before=rescue.service # On systems without virtual consoles, don't start any getty. Note # that serial gettys are covered by serial-getty@.service, not this diff --git a/units/meson.build b/units/meson.build index 2024d0bfa1..8494d23e9e 100644 --- a/units/meson.build +++ b/units/meson.build @@ -180,7 +180,7 @@ in_units = [ ['systemd-reboot.service', ''], ['systemd-remount-fs.service', '', 'local-fs.target.wants/'], - ['systemd-resolved.service', 'ENABLE_RESOLVED', + ['systemd-resolved.service', 'ENABLE_RESOLVE', join_paths(pkgsysconfdir, 'system/dbus-org.freedesktop.resolve1.service') + ' ' + join_paths(pkgsysconfdir, 'system/multi-user.target.wants/')], ['systemd-rfkill.service', 'ENABLE_RFKILL'], @@ -205,9 +205,9 @@ in_units = [ 'sysinit.target.wants/'], ['systemd-update-done.service', '', 'sysinit.target.wants/'], - ['systemd-update-utmp-runlevel.service', 'HAVE_UTMP HAVE_SYSV_COMPAT', + ['systemd-update-utmp-runlevel.service', 'ENABLE_UTMP HAVE_SYSV_COMPAT', 'multi-user.target.wants/ graphical.target.wants/ rescue.target.wants/'], - ['systemd-update-utmp.service', 'HAVE_UTMP', + ['systemd-update-utmp.service', 'ENABLE_UTMP', 'sysinit.target.wants/'], ['systemd-user-sessions.service', '', 'multi-user.target.wants/'], @@ -244,8 +244,8 @@ foreach tuple : in_units # we do this here because install_data does not accept custom_target output conds = tuple[1].split(' ') - install = ((conds.get(0, '') == '' or conf.get(conds[0], false)) and - (conds.get(1, '') == '' or conf.get(conds[1], false))) + install = ((conds.get(0, '') == '' or conf.get(conds[0]) == 1) and + (conds.get(1, '') == '' or conf.get(conds[1]) == 1)) gen1 = configure_file( input : file + '.in', @@ -273,8 +273,8 @@ foreach tuple : m4_units # we do this here because install_data does not accept custom_target output conds = tuple[1].split(' ') - install = ((conds.get(0, '') == '' or conf.get(conds[0], false)) and - (conds.get(1, '') == '' or conf.get(conds[1], false))) + install = ((conds.get(0, '') == '' or conf.get(conds[0]) == 1) and + (conds.get(1, '') == '' or conf.get(conds[1]) == 1)) custom_target( file, @@ -297,8 +297,8 @@ foreach tuple : units input = tuple.get(3, file) conds = tuple[1].split(' ') - install = ((conds.get(0, '') == '' or conf.get(conds[0], false)) and - (conds.get(1, '') == '' or conf.get(conds[1], false))) + install = ((conds.get(0, '') == '' or conf.get(conds[0]) == 1) and + (conds.get(1, '') == '' or conf.get(conds[1]) == 1)) if install install_data(input, @@ -321,7 +321,7 @@ meson.add_install_script(meson_make_symlink, meson.add_install_script(meson_make_symlink, join_paths(dbussystemservicedir, 'org.freedesktop.systemd1.service'), join_paths(dbussessionservicedir, 'org.freedesktop.systemd1.service')) -if conf.get('HAVE_SYSV_COMPAT', false) +if conf.get('HAVE_SYSV_COMPAT') == 1 foreach i : [1, 2, 3, 4, 5] meson.add_install_script( 'sh', '-c', diff --git a/units/serial-getty@.service.m4 b/units/serial-getty@.service.m4 index d6da914454..e56f47652c 100644 --- a/units/serial-getty@.service.m4 +++ b/units/serial-getty@.service.m4 @@ -24,8 +24,8 @@ IgnoreOnIsolate=yes # IgnoreOnIsolate causes issues with sulogin, if someone isolates # rescue.target or starts rescue.service from multi-user.target or # graphical.target. -Conflicts=rescue.service emergency.service -Before=rescue.service emergency.service +Conflicts=rescue.service +Before=rescue.service [Service] # The '-o' option value tells agetty to replace 'login' arguments with an diff --git a/units/sysinit.target b/units/sysinit.target index 8d01cbdc1b..ec33503330 100644 --- a/units/sysinit.target +++ b/units/sysinit.target @@ -8,13 +8,6 @@ [Unit] Description=System Initialization Documentation=man:systemd.special(7) -Wants=swap.target local-fs.target -After=swap.target local-fs.target - -# local-fs.target uses OnFailure="emergency.target" to start an emergency -# shell. In that case we also need to cancel everything that relies on -# local-fs.target. Flooding the screen with yellow [DEPEND] failures would -# be unhelpful. Therefore we break the chain here. We use a Wants -# dependency instead of Requires, and use a Conflict with emergency.target, -# so that we are cancelled without actually failing any more units. -Conflicts=emergency.target +Conflicts=emergency.service emergency.target +Wants=local-fs.target swap.target +After=local-fs.target swap.target emergency.service emergency.target diff --git a/units/systemd-coredump@.service.in b/units/systemd-coredump@.service.in index d7eaf3398e..ef58f0cb3e 100644 --- a/units/systemd-coredump@.service.in +++ b/units/systemd-coredump@.service.in @@ -34,4 +34,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any StateDirectory=systemd/coredump diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in index 9bb5ad8cac..cfee2cbbf1 100644 --- a/units/systemd-hostnamed.service.in +++ b/units/systemd-hostnamed.service.in @@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any ReadWritePaths=/etc diff --git a/units/systemd-journal-gatewayd.service.in b/units/systemd-journal-gatewayd.service.in index b24d698c8a..44caa0e0b2 100644 --- a/units/systemd-journal-gatewayd.service.in +++ b/units/systemd-journal-gatewayd.service.in @@ -12,6 +12,7 @@ Requires=systemd-journal-gatewayd.socket [Service] ExecStart=@rootlibexecdir@/systemd-journal-gatewayd +User=systemd-journal-gateway SupplementaryGroups=systemd-journal DynamicUser=yes PrivateDevices=yes diff --git a/units/systemd-journald.service.in b/units/systemd-journald.service.in index 07e03e736e..a747fe3f1f 100644 --- a/units/systemd-journald.service.in +++ b/units/systemd-journald.service.in @@ -30,6 +30,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any # Increase the default a bit in order to allow many simultaneous # services being run since we keep one fd open per service. Also, when diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in index 1366fa7910..5dd8b18894 100644 --- a/units/systemd-localed.service.in +++ b/units/systemd-localed.service.in @@ -30,4 +30,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any ReadWritePaths=/etc diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index f6daf7755c..de380a27d3 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -31,6 +31,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any FileDescriptorStoreMax=512 # Increase the default a bit in order to allow many simultaneous diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in index fb4df38293..03b9bf5c0d 100644 --- a/units/systemd-machined.service.in +++ b/units/systemd-machined.service.in @@ -24,6 +24,7 @@ RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any # Note that machined cannot be placed in a mount namespace, since it # needs access to the host's mount namespace in order to implement the diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in index 9fca1d1905..97130e93c3 100644 --- a/units/systemd-timedated.service.in +++ b/units/systemd-timedated.service.in @@ -28,4 +28,5 @@ RestrictAddressFamilies=AF_UNIX SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any ReadWritePaths=/etc diff --git a/units/systemd-udevd.service.in b/units/systemd-udevd.service.in index d3d13ed7cf..03909f5d7f 100644 --- a/units/systemd-udevd.service.in +++ b/units/systemd-udevd.service.in @@ -29,3 +29,4 @@ RestrictRealtime=yes RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallArchitectures=native LockPersonality=yes +IPAddressDeny=any |