summaryrefslogtreecommitdiff
path: root/units/systemd-timedated.service.in
Commit message (Collapse)AuthorAgeFilesLines
* license: LGPL-2.1+ -> LGPL-2.1-or-laterYu Watanabe2020-11-091-1/+1
|
* man,units: link to the new dbus-api man pagesZbigniew Jędrzejewski-Szmek2020-09-301-2/+3
|
* units: turn on ProtectProc= wherever suitableLennart Poettering2020-08-241-1/+2
|
* units: set ProtectKernelLogs=yes on relevant unitsKevin Kuehler2019-11-151-0/+1
| | | | | | We set ProtectKernelLogs=yes on all long running services except for udevd, since it accesses /dev/kmsg, and journald, since it calls syslog and accesses /dev/kmsg.
* meson: allow WatchdogSec= in services to be configuredZbigniew Jędrzejewski-Szmek2019-10-251-1/+1
| | | | | | | | | | | | | | | | As discussed on systemd-devel [1], in Fedora we get lots of abrt reports about the watchdog firing [2], but 100% of them seem to be caused by resource starvation in the machine, and never actual deadlocks in the services being monitored. Killing the services not only does not improve anything, but it makes the resource starvation worse, because the service needs cycles to restart, and coredump processing is also fairly expensive. This adds a configuration option to allow the value to be changed. If the setting is not set, there is no change. My plan is to set it to some ridiculusly high value, maybe 1h, to catch cases where a service is actually hanging. [1] https://lists.freedesktop.org/archives/systemd-devel/2019-October/043618.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=1300212
* units: deny access to block devicesTopi Miettinen2019-06-201-0/+1
| | | | | | While the need for access to character devices can be tricky to determine for the general case, it's obvious that most of our services have no need to access block devices. For logind and timedated this can be tightened further.
* units: turn on RestrictSUIDSGID= in most of our long-running daemonsLennart Poettering2019-04-021-0/+1
|
* units: enable ProtectHostname=yesTopi Miettinen2019-02-201-0/+1
|
* units: set NoNewPrivileges= for all long-running servicesLennart Poettering2018-11-121-13/+14
| | | | | | | | | | | | | | | | | Previously, setting this option by default was problematic due to SELinux (as this would also prohibit the transition from PID1's label to the service's label). However, this restriction has since been lifted, hence let's start making use of this universally in our services. On SELinux system this change should be synchronized with a policy update that ensures that NNP-ful transitions from init_t to service labels is permitted. An while we are at it: sort the settings in the unit files this touches. This might increase the size of the change in this case, but hopefully should result in stabler patches later on. Fixes: #1219
* units: switch from system call blacklist to whitelistLennart Poettering2018-06-141-1/+2
| | | | | | | | | | | | | | | | | | | | | This is generally the safer approach, and is what container managers (including nspawn) do, hence let's move to this too for our own services. This is particularly useful as this this means the new @system-service system call filter group will get serious real-life testing quickly. This also switches from firing SIGSYS on unexpected syscalls to returning EPERM. This would have probably been a better default anyway, but it's hard to change that these days. When whitelisting system calls SIGSYS is highly problematic as system calls that are newly introduced to Linux become minefields for services otherwise. Note that this enables a system call filter for udev for the first time, and will block @clock, @mount and @swap from it. Some downstream distributions might want to revert this locally if they want to permit unsafe operations on udev rules, but in general this shiuld be mostly safe, as we already set MountFlags=shared for udevd, hence at least @mount won't change anything.
* Add SPDX license headers to unit filesZbigniew Jędrzejewski-Szmek2017-11-191-0/+2
|
* units: prohibit all IP traffic on all our long-running services (#6921)Lennart Poettering2017-10-041-0/+1
| | | Let's lock things down further.
* units: set LockPersonality= for all our long-running services (#6819)Lennart Poettering2017-09-141-0/+1
| | | | Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
* units: use https for the freedesktop url (#6227)AsciiWolf2017-06-281-1/+1
|
* units: make use of @reboot and @swap in our long-running service ↵Lennart Poettering2017-02-091-1/+1
| | | | | | SystemCallFilter= settings Tighten security up a bit more.
* units: turn on ProtectKernelModules= for most long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: switch on ProtectSystem=strict for our long running servicesLennart Poettering2017-02-091-1/+2
| | | | Let's step up the protection a notch
* units: restrict namespace for a good number of our own servicesLennart Poettering2017-02-091-0/+1
| | | | | | | | Basically, we turn it on for most long-running services, with the exception of machined (whose child processes need to join containers here and there), and importd (which sandboxes tar in a CLONE_NEWNET namespace). machined is left unrestricted, and importd is restricted to use only "net"
* units: set SystemCallArchitectures=native on all our long-running servicesLennart Poettering2017-02-091-0/+1
|
* units: further lock down our long-running servicesLennart Poettering2016-09-251-1/+5
| | | | | | | | | | | | | | | | | | | | | | | | Let's make this an excercise in dogfooding: let's turn on more security features for all our long-running services. Specifically: - Turn on RestrictRealtime=yes for all of them - Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of them - Turn on RestrictAddressFamilies= for all of them, but different sets of address families for each Also, always order settings in the unit files, that the various sandboxing features are close together. Add a couple of missing, older settings for a numbre of unit files. Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively turning of networking from udev rule commands. Since this might break stuff (that is already broken I'd argue) this is documented in NEWS.
* units: tighten system call filters a bitLennart Poettering2016-06-131-1/+1
| | | | | Take away kernel keyring access, CPU emulation system calls and various debug system calls from the various daemons we have.
* units: add a basic SystemCallFilter (#3471)Topi Miettinen2016-06-091-0/+1
| | | | | | | Add a line SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace for daemons shipped by systemd. As an exception, systemd-timesyncd needs @clock system calls and systemd-localed is not privileged. ptrace(2) is blocked to prevent seccomp escapes.
* units: enable MemoryDenyWriteExecute (#3459)Topi Miettinen2016-06-081-0/+1
| | | | | Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute. Closes: #3459
* units: increase watchdog timeout to 3min for all our servicesLennart Poettering2015-09-291-1/+1
| | | | | | | | Apparently, disk IO issues are more frequent than we hope, and 1min waiting for disk IO happens, so let's increase the watchdog timeout a bit, for all our services. See #1353 for an example where this triggers.
* Revert "units: add SecureBits"Lennart Poettering2015-02-111-1/+0
| | | | | | | | This reverts commit 6a716208b346b742053cfd01e76f76fb27c4ea47. Apparently this doesn't work. http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
* units: add SecureBitsTopi Miettinen2015-02-111-0/+1
| | | | | | No setuid programs are expected to be executed, so add SecureBits=noroot noroot-locked to unit files.
* core: rename ReadOnlySystem= to ProtectSystem= and add a third value for ↵Lennart Poettering2014-06-041-2/+2
| | | | | | | | | | also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
* core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering2014-06-031-0/+2
| | | | | | | | | | | | | | ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
* units: make use of PrivateTmp=yes and PrivateDevices=yes for all our ↵Lennart Poettering2014-03-191-0/+1
| | | | long-running daemons
* event: hook up sd-event with the service watchdog logicLennart Poettering2013-12-111-0/+1
| | | | | | | | | | | | | Adds a new call sd_event_set_watchdog() that can be used to hook up the event loop with the watchdog supervision logic of systemd. If enabled and $WATCHDOG_USEC is set the event loop will ping the invoking systemd daemon right after coming back from epoll_wait() but not more often than $WATCHDOG_USEC/4. The epoll_wait() will sleep no longer than $WATCHDOG_USEC/4*3, to make sure the service manager is called in time. This means that setting WatchdogSec= in a .service file and calling sd_event_set_watchdog() in your daemon is enough to hook it up with the watchdog logic.
* man: remove timezone(5) and add localtime(5)Shawn Landden2012-09-141-1/+1
|
* man: document systemd-timedated.serviceLennart Poettering2012-06-251-1/+1
|
* units: introduce new Documentation= field and make use of it everywhereLennart Poettering2012-05-211-2/+2
| | | | | | | | | | This should help making the boot process a bit easier to explore and understand for the administrator. The simple idea is that "systemctl status" now shows a link to documentation alongside the other status and decriptionary information of a service. This patch adds the necessary fields to all our shipped units if we have proper documentation for them.
* units: explicit Type=dbus is now redundantLennart Poettering2012-05-031-1/+0
|
* relicense to LGPLv2.1 (with exceptions)Lennart Poettering2012-04-121-2/+2
| | | | | | | | | | | | | | We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
* mechanisms: add mechanisms to change system locale and clockLennart Poettering2011-06-211-0/+17