summaryrefslogtreecommitdiff
path: root/units/systemd-journald.service.in
Commit message (Collapse)AuthorAgeFilesLines
* units: set NoNewPrivileges= for all long-running servicesLennart Poettering2018-11-121-13/+14
| | | | | | | | | | | | | | | | | Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219
* meson: define @HIGH_RLIMIT_NOFILE@ and use it everywhereZbigniew Jędrzejewski-Szmek2018-10-171-1/+1
|
* units: bump the RLIMIT_NOFILE soft limit for all services that access the ↵Lennart Poettering2018-10-161-5/+3
| | | | | | | | | | | | | | journal This updates the unit files of all our serviecs that deal with journal stuff to use a higher RLIMIT_NOFILE soft limit by default. The new value is the same as used for the new HIGH_RLIMIT_NOFILE we just added. With this we ensure all code that access the journal has higher RLIMIT_NOFILE. The code that runs as daemon via the unit files, the code that is run from the user's command line via C code internal to the relevant tools. In some cases this means we'll redundantly bump the limits as there are tools run both from the command line and as service.
* units: switch from system call blacklist to whitelistLennart Poettering2018-06-141-1/+2
| | | | | | | | | | | | | | | | | | | | | This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything.
* Add SPDX license headers to unit filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+2
|
* units: prohibit all IP traffic on all our long-running services (#6921)Lennart Poettering2017-10-041-0/+1
| | | Let's lock things down further.
* units: set LockPersonality= for all our long-running services (#6819)Lennart Poettering2017-09-141-0/+1
| | | | Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
* journald: make sure we retain all stream fds across restarts (#6348)Michal Sekletar2017-07-171-1/+1
| | | | | | | | | | Currently we set 4096 as maximum for number of stream connections that we accept. However maximum number of file descriptors that systemd is willing to accept from us is just 1024. This means we can't retain all stream connections that we accepted. Hence bump the limit of fds in a unit file so that systemd holds open all stream fds while we are restarted. New limit is set to 4224 (4096 + 128).
* units: drop explicit NotifyAccess setting from journald's unit file (#5749)Michal Sekletar2017-04-191-1/+0
| | | | | | | systemd-journald service consists of only single process and that is the MainPID. Make unit file shorter and drop NotifyAccess=all since it is not useful in such case. https://lists.freedesktop.org/archives/systemd-devel/2017-April/038667.html
* units: make use of @reboot and @swap in our long-running service ↵Lennart Poettering2017-02-091-1/+1
| | | | | | SystemCallFilter= settings Tighten security up a bit more.
* units: restrict namespace for a good number of our own servicesLennart Poettering2017-02-091-0/+1
| | | | | | | | Basically, we turn it on for most long-running services, with the exception of machined (whose child processes need to join containers here and there), and importd (which sandboxes tar in a CLONE_NEWNET namespace). machined is left unrestricted, and importd is restricted to use only "net"
* units: set SystemCallArchitectures=native on all our long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: further lock down our long-running servicesLennart Poettering2016-09-251-1/+3
| | | | | | | | | | | | | | | | | | | | | | | | Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
* units: tighten system call filters a bitLennart Poettering2016-06-131-1/+1
| | | | | Take away kernel keyring access, CPU emulation system calls and various debug system calls from the various daemons we have.
* units: add a basic SystemCallFilter (#3471)Topi Miettinen2016-06-091-0/+1
| | | | | | | Add a line SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace for daemons shipped by systemd. As an exception, systemd-timesyncd needs @clock system calls and systemd-localed is not privileged. ptrace(2) is blocked to prevent seccomp escapes.
* units: enable MemoryDenyWriteExecute (#3459)Topi Miettinen2016-06-081-0/+1
| | | | | Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute. Closes: #3459
* journal: restore watchdog supportLennart Poettering2015-11-031-0/+1
|
* journald: never block when sending messages on NOTIFY_SOCKET socketLennart Poettering2015-11-011-1/+0
| | | | | | | | | | | | | | Otherwise we might run into deadlocks, when journald blocks on the notify socket on PID 1, and PID 1 blocks on IPC to dbus-daemon and dbus-daemon blocks on logging to journald. Break this cycle by making sure that journald never ever blocks on PID 1. Note that this change disables support for event loop watchdog support, as these messages are sent in blocking style by sd-event. That should not be a big loss though, as people reported frequent problems with the watchdog hitting journald on excessively slow IO. Fixes: #1505.
* units: increase watchdog timeout to 3min for all our servicesLennart Poettering2015-09-291-1/+1
| | | | | | | | Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
* Revert "units: add SecureBits"Lennart Poettering2015-02-111-1/+0
| | | | | | | | This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
* units: add SecureBitsTopi Miettinen2015-02-111-0/+1
| | | | | | No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
* journal: bump RLIMIT_NOFILE when journal files to 16K (if possible)Lennart Poettering2015-01-081-1/+3
| | | | | | | | | | | When there are a lot of split out journal files, we might run out of fds quicker then we want. Hence: bump RLIMIT_NOFILE to 16K if possible. Do these even for journalctl. On Fedora the soft RLIMIT_NOFILE is at 1K, the hard at 4K by default for normal user processes, this code hence bumps this up for users to 4K. https://bugzilla.redhat.com/show_bug.cgi?id=1179980
* journald: allow restarting journald without losing stream connectionsLennart Poettering2015-01-061-0/+1
| | | | | | Making use of the fd storage capability of the previous commit, allow restarting journald by serilizing stream state to /run, and pushing open fds to PID 1.
* units: make systemd-journald.service Type=notifyMichal Schmidt2014-11-041-0/+1
| | | | | | | | | | | It already calls sd_notify(), so it looks like an oversight. Without it, its ordering to systemd-journal-flush.service is non-deterministic and the SIGUSR1 from flushing may kill journald before it has its signal handlers set up. https://bugs.freedesktop.org/show_bug.cgi?id=85871 https://bugzilla.redhat.com/show_bug.cgi?id=1159641
* journald: if available pull audit messages from the kernel into journal logsLennart Poettering2014-11-031-3/+3
|
* journald: add CAP_MAC_OVERRIDE in journald for SMACK issueJuho Son2014-10-221-1/+1
| | | | | | | | | | | | | | | | | | | systemd-journald check the cgroup id to support rate limit option for every messages. so journald should be available to access cgroup node in each process send messages to journald. In system using SMACK, cgroup node in proc is assigned execute label as each process's execute label. so if journald don't want to denied for every process, journald should have all of access rule for all process's label. It's too heavy. so we could give special smack label for journald te get all accesses's permission. '^' label. When assign '^' execute smack label to systemd-journald, systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege. so I want to notice this information and set default capability to journald whether system use SMACK or not. because that capability affect to only smack enabled kernel
* core: rename ReadOnlySystem= to ProtectSystem= and add a third value for ↵Lennart Poettering2014-06-041-2/+0
| | | | | | | | | | also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
* journald: move /dev/log socket to /runLennart Poettering2014-06-041-1/+2
| | | | | | This way we can make the socket also available for sandboxed apps that have their own private /dev. They can now simply symlink the socket from /dev.
* core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering2014-06-031-0/+2
| | | | | | | | | | | | | | ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
* journald: port to sd-event and enable watchdog supportLennart Poettering2013-12-111-0/+1
|
* journal: don't pull in flush service from journald serviceLennart Poettering2012-09-031-1/+0
| | | | | In the initrd we don't need the flush service hence don't attempt to pull it in.
* unit: make sure structured logging is available before we enter the main ↵Lennart Poettering2012-09-031-0/+1
| | | | boot phase
* units: don't enforce a holdoff time for journald, logind, udevdLennart Poettering2012-07-181-0/+1
| | | | | These services should be restarted as quickly as possible if they fail, and the extra safety net of the holdoff time is not necessary.
* journal: replace implicit flushing of journal by explicit oneLennart Poettering2012-07-111-0/+1
| | | | | | | | | The old automatism that the flushing of the journal from /run to /var was triggered by the appearance of /var/log/journal is broken if that directory is mounted from another host and hence always available to be useful as mount point. To avoid probelsm with this, introduce a new unit that is explicitly orderer after all mounte files systems and triggers the flushing.
* units: automatically respawn the core servicesLennart Poettering2012-06-281-0/+1
|
* units: fix man sectionLennart Poettering2012-06-011-3/+2
|
* man: document systemd-journalLennart Poettering2012-06-011-1/+1
|
* units: introduce new Documentation= field and make use of it everywhereLennart Poettering2012-05-211-2/+1
| | | | | | | | | | This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them.
* relicense to LGPLv2.1 (with exceptions)Lennart Poettering2012-04-121-2/+2
| | | | | | | | | | | | | | We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
* journal: add CAP_SETUID and CAP_SETGID to capabilities for journald, so that ↵Lennart Poettering2012-02-101-1/+1
| | | | we can fake SCM_CREDENTIALS
* journal: limit caps we pass to journaldLennart Poettering2012-02-091-1/+1
|
* journald: start the journal after the syslog socket, so that the syslog ↵Lennart Poettering2012-01-061-1/+2
| | | | socket queues syslog messages from early boot on
* journal: add unit files and shared library glueLennart Poettering2011-12-301-0/+24
View Lorry Controller Status