-
-
Notifications
You must be signed in to change notification settings - Fork 3.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
pid1: add ProtectSystem= as system-wide configuration, and default it…
… to true in the initrd This adds a new ProtectSystem= setting that mirrors the option of the same of services, but in a more restrictive way. If enabled will remount /usr/ to read-only, very early at boot. Takes a special value "auto" (which is the default) which is equivalent to true in the initrd, and false otherwise. Unlike the per-service option we don't support full/strict modes, but the door is open to eventually support that too if it makes sense. It's not entirely trivial though as we have very little mounted this early, and hence the mechanism might not apply 1:1. Hence in this PR is a conservative first step. My primary goal with this is to lock down initrds a bit, since they conceptually are mostly immutable, but they are unpacked into a mutable tmpfs. let's tighten the screws a bit on that, and at least make /usr/ immutable. This is particularly nice on USIs (i.e. Unified System Images, that pack a whole OS into a UKI without transitioning out of it), such as diskomator.
- Loading branch information
1 parent
8e3dc73
commit ffc1ec7
Showing
3 changed files
with
89 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters