Skip to content
This repository has been archived by the owner on Sep 24, 2020. It is now read-only.

Backport ProtectSystem=strict reversion to v234 #93

Merged
merged 1 commit into from
Nov 29, 2017
Merged

Backport ProtectSystem=strict reversion to v234 #93

merged 1 commit into from
Nov 29, 2017

Conversation

ajeddeloh
Copy link

@bgilbert
Copy link

Backport of #91.

bgilbert
bgilbert reviewed Nov 29, 2017
View reviewed changes
Copy link

@bgilbert bgilbert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are a few missed reversions; not sure if they're important.

This doesn't revert units/systemd-journal-gatewayd.service.in; should it?

units/systemd-coredump@.service.in
@@ -23,7 +23,7 @@ RuntimeMaxSec=5min
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=strict
ProtectSystem=full
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should ReadWritePaths=/var/lib/systemd/coredump be dropped?

units/systemd-journal-remote.service.in
@@ -18,7 +18,7 @@ WatchdogSec=3min
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
ProtectSystem=strict
ProtectSystem=full
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should ReadWritePaths=/var/log/journal/remote be dropped?

units/systemd-resolved.service.m4.in
@@ -29,7 +29,7 @@ WatchdogSec=3min
CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_NET_RAW CAP_NET_BIND_SERVICE
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectSystem=full
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ReadWritePaths=/run/systemd?

units/systemd-timesyncd.service.in
@@ -26,7 +26,7 @@ WatchdogSec=3min
CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectSystem=full
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ReadWritePaths=/var/lib/systemd?

@ajeddeloh
Copy link
Author

ajeddeloh commented Nov 29, 2017
edited
Loading

Updated via reverting the commit instead of cherry-picking the other reversion commit. Should be complete now. I'm going to triple check PR 91 and make sure there isn't anything missed it that, given how uncleanly it applied.

Edit: #91 is good. Some things switched to using StateDirectory after 234, which means the 235 reversion commit didn't have the ReadWritePaths changes, hence why I missed them initially when cherrypicking it. #91 also doesn't have the gateway unit change since it's ProtectSystem=strict was already removed for unrelated reasons.

@ajeddeloh ajeddeloh merged commit 9941efc into coreos:v234-coreos Nov 29, 2017
This was referenced Nov 29, 2017
Merged
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@bgilbert bgilbert bgilbert approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ajeddeloh @bgilbert