dasharo/systemd - systemd - ProxGit

dasharo/systemd

mirror of https://github.com/Dasharo/systemd.git synced 2026-03-06 15:02:31 -08:00

Go to file

Iago López Galeiras 24832d10b6 core: allow using seccomp without no_new_privs when unprivileged

Until now, using any form of seccomp while being unprivileged (User=)
resulted in systemd enabling no_new_privs.

There's no need for doing this because:

* We trust the filters we apply
* If User= is set and a process wants to apply a new seccomp filter, it
will need to set no_new_privs itself

An example of application that might want seccomp + !no_new_privs is a
program that wants to run as an unprivileged user but uses file
capabilities to start a web server on a privileged port while
benefitting from a restrictive seccomp profile.

We now keep the privileges needed to do seccomp before calling
enforce_user() and drop them after the seccomp filters are applied.

If the syscall filter doesn't allow the needed syscalls to drop the
privileges, we keep the previous behavior by enabling no_new_privs.

2023-11-07 11:31:53 +01:00

.clusterfuzzlite

ci: unpin CFLite

2022-04-26 09:13:57 +00:00

mkosi: explicitly disable KVM in GHA runs

2023-11-02 12:16:11 +00:00

test: use 'until' instead of 'while !'

2023-09-06 19:54:29 +01:00

tree-wide: s/life-cycle/lifecycle/g

2023-11-06 20:16:34 +01:00

coccinelle: don't run iovec-make on iovec_done{,_erase}

2023-10-25 11:16:37 +02:00

tree-wide: s/life-cycle/lifecycle/g

2023-11-06 20:16:34 +01:00

docs: excorcise NIS from nsswitch.conf

2023-09-20 15:17:52 +02:00

Update hwdb

2023-11-06 10:37:29 +00:00

LICENSES/README.md: fix syntax

2023-07-08 22:33:53 +00:00

core: allow using seccomp without no_new_privs when unprivileged

2023-11-07 11:31:53 +01:00

Revert "mkosi: Use cache and build subdirectories"

2023-11-06 20:10:34 +01:00

mkosi: Use RuntimeTrees= to mount sources

2023-10-20 12:43:57 +02:00

meson: install the right README file in modprobe.d

2021-07-07 14:52:05 +02:00

meson: /etc/systemd/network is also used by udevd

2023-11-03 12:02:51 +09:00

po: Translated using Weblate (Portuguese)

2023-11-01 11:54:47 +09:00

preset: enable systemd-networkd-wait-online.service by default

2023-06-07 21:51:37 +01:00

udev: add new builtin net_driver

2023-11-01 16:00:19 +00:00

shell-completion

meson: Always build bootctl

2023-10-25 16:49:24 +02:00

core: allow using seccomp without no_new_privs when unprivileged

2023-11-07 11:31:53 +01:00

sysctl.d: Fix pid_max comment

2023-10-31 13:07:49 +01:00

sysusers.d: create the user for systemd-journal-upload.service

2023-06-19 23:42:00 +02:00

Merge pull request #29888 from mrc0mmand/network-generator

2023-11-07 00:10:43 +00:00

Revert "Revert "tmpfiles.d: adjust /dev/vfio/vfio access mode""

2023-08-09 11:27:39 +09:00

tools: syscall tables moved to a subdirectory

2023-11-01 14:07:54 +00:00

units: add units that put together and install a TPM2 PCR policy at boot

2023-11-03 11:24:45 +01:00

xorg/50-systemd-user: add a full license header

2021-10-01 14:45:00 +02:00

.clang-format

clang-format: Adjust style of pointers

2022-05-30 04:00:54 +09:00

.ctags

editors: Prevent ctags from following symlinks

2019-02-15 11:01:20 -08:00

.dir-locals.el

scripts: use 4 space indentation

2019-04-12 08:30:31 +02:00

.editorconfig

editorconfig: add NEWS whitespace configuration

2023-10-26 22:41:03 +01:00

.gitattributes

Mark all base64 files as generated

2023-08-16 12:49:45 +02:00

.gitignore

Add mkosi.conf to gitignore

2023-09-22 08:14:10 +02:00

.mailmap

mailmap: "reduce contributor count by 13"

2023-08-16 12:49:42 +02:00

.packit.yml

Revert "ci: temporarily disable Packit's i386"

2023-09-17 22:18:49 +02:00

.pylintrc

Add .pylintrc to globally suppress warnings we don't really care about

2023-08-10 18:13:29 +02:00

.vimrc

vimrc: explicitly set shiftwidth for the C file type

2023-09-18 13:11:45 +02:00

.ycm_extra_conf.py

ycm: add doc string for all the functions in configuration file

2017-11-29 13:21:49 -07:00

configure

configure: update meson invocation

2023-07-29 14:08:06 +02:00

LICENSE.GPL2

…

LICENSE.LGPL2.1

…

Makefile

tree-wide: add spdx header on all scripts and helpers

2021-01-28 09:55:35 +01:00

meson_options.txt

Merge pull request #29508 from CodethinkLabs/systemd-vmspawn-pr

2023-11-03 16:04:38 +00:00

meson.build

Merge pull request #28891 from poettering/pcrlock

2023-11-03 16:07:43 +00:00

mkosi.kernel.config

mkosi: Don't disable CONFIG_USB

2023-09-06 12:58:30 +02:00

NEWS

Merge pull request #29879 from Flowdalic/cgroup-memory-peak

2023-11-07 09:53:57 +08:00

README

docs: excorcise NIS from nsswitch.conf

2023-09-20 15:17:52 +02:00

README.md

Update badge on README to refer new scorecard viewer (#28050 )

2023-06-15 19:24:32 +01:00

TODO

TODO: fix more typos

2023-11-07 10:49:58 +01:00

README.md

System and Service Manager

Details

Most documentation is available on systemd's web site.

Assorted, older, general information about systemd can be found in the systemd Wiki.

Information about build requirements is provided in the README file.

Consult our NEWS file for information about what's new in the most recent systemd versions.

Please see the Code Map for information about this repository's layout and content.

Please see the Hacking guide for information on how to hack on systemd and test your modifications.

Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.

When preparing patches for systemd, please follow our Coding Style Guidelines.

If you are looking for support, please contact our mailing list or join our IRC channel.

Stable branches with backported patches are available in the stable repo.