diff options
| author | Lennart Poettering <lennart@poettering.net> | 2024-10-30 09:06:33 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-10-30 09:06:37 +0100 |
| commit | c79d38d4127c630431017c389cce6006e671e5af (patch) | |
| tree | 141ee19ddb1a2e57d56e3d3b333db93549e12553 /TODO | |
| parent | core/service: support sd_notify() MAINPIDFD=1 and MAINPIDFDID= (#34932) (diff) | |
| download | systemd-c79d38d4127c630431017c389cce6006e671e5af.tar.xz systemd-c79d38d4127c630431017c389cce6006e671e5af.zip | |
update TODO
Diffstat (limited to 'TODO')
| -rw-r--r-- | TODO | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -129,6 +129,17 @@ Deprecations and removals: Features: +* system lsmbpf policy that prohibits creating files owned by "nobody" + system-wide + +* system lsmpbf policy that prohibits creating or opening device nodes outside + of devtmpfs/tmpfs, except if they are the pseudo-devices /dev/null, + /dev/zero, /dev/urandom and so on. + +* system lsmbpf policy that enforces that block device backed mounts may only + be established on top of dm-crypt or dm-verity devices, or an allowlist of + file systems (which should probably include vfat, for compat with the ESP) + * $LISTEN_PID, $MAINPID and $SYSTEMD_EXECPID env vars that the service manager sets should be augmented with $LISTEN_PIDFDID, $MAINPIDFDID and $SYSTEMD_EXECPIDFD (and similar for other env vars we might send). |