@@ -5,14 +5,46 @@ CHANGES WITH 232 in spe
55 * The new RemoveIPC= option can be used to remove IPC objects owned by
66 the user or group of a service when that service exits.
77
8+ * ProtectSystem= option gained a new value "strict", which causes the
9+ whole file system tree with the exception of /dev, /proc, and /sys,
10+ to be remounted read-only for a service.
11+
12+ The new ProtectedKernelTunables= options can be used to disable
13+ modification of configuration files in /sys and /proc by a service.
14+ Various directories and files are remounted read-only, so access is
15+ restricted even if the file permissions would allow it.
16+
17+ The new ProtectControlGroups= option can be used to disable write
18+ access by a service to /sys/fs/cgroup.
19+
20+ * Various systemd services have been hardened with
21+ ProtectKernelTunables=yes, ProtectControlGroups=yes,
22+ RestrictAddressFamilies=.
23+
24+ In particular, systemd-udevd.service is now run in a Seccomp-based
25+ sandbox that prohibits access to AF_INET and AF_INET6 sockets and
26+ thus access to the network. This might break code that runs from udev
27+ rules that tries to talk to the network. Doing that is generally a
28+ bad idea and unsafe due to a variety of reasons. It's also racy as
29+ device management would race against network configuration. It is
30+ recommended to rework such rules to use the SYSTEMD_WANTS property on
31+ the relevant devices to pull in a proper systemd service (which can
32+ be sandboxed differently and ordered correctly after the network
33+ having come up). If that's not possible consider reverting this
34+ sandboxing feature locally by removing the RestrictAddressFamilies=
35+ setting from the systemd-udevd.service unit file, or adding AF_INET
36+ and AF_INET6 to it.
37+
838 * Support for dynamically creating users for the lifetime of a service
939 has been added. If DynamicUser=yes is specified, user and group IDs
1040 will be allocated from the range 61184..65519 for the lifetime of the
1141 service. They can be resolved using the new nss-systemd.so NSS
1242 module. The module must be enabled in /etc/nsswitch.conf. Services
1343 started in this way have PrivateTmp= and RemoveIPC= enabled, so that
1444 any resources allocated by the service will be cleaned up when the
15- service exits.
45+ service exits. They also have ProtectHome=read-only and
46+ ProtectSystem=strict enabled, so they are not able to make any
47+ permanent modifications to the system.
1648
1749 The nss-systemd module also always resolves root and nobody, making
1850 it possible to have no /etc/passwd or /etc/group files in minimal
@@ -54,7 +86,7 @@ CHANGES WITH 232 in spe
5486 mount the EFI partition on systems where /boot is used for something
5587 else.
5688
57- * disk/by-id symlinks are now created for NVMe drives.
89+ * disk/by-id and disk/by-path symlinks are now created for NVMe drives.
5890
5991 * Two new user session targets have been added to support running
6092 graphical sessions under the systemd --user instance:
@@ -93,6 +125,9 @@ CHANGES WITH 232 in spe
93125 * systemd-run gained a new --wait option that makes service execution
94126 synchronous.
95127
128+ systemctl gained a new --wait option that causes the start command to
129+ wait until the units being started have terminated again.
130+
96131 * A new journal output mode "short-full" has been added which uses
97132 timestamps with abbreviated English day names and adds a timezone
98133 suffix. Those timestamps include more information and can be parsed
@@ -106,6 +141,12 @@ CHANGES WITH 232 in spe
106141 from a single IP can be limited with MaxConnectionsPerSource=,
107142 extending the existing setting of MaxConnections.
108143
144+ * systemd-networkd gained support for vcan ("Virtual CAN") interface
145+ configuration.
146+
147+ * .netdev and .network configuration can now be extended through
148+ drop-ins.
149+
109150 * UDP Segmentation Offload, TCP Segmentation Offload, Generic
110151 Segmentation Offload, Generic Receive Offload, Large Receive Offload
111152 can be enabled and disabled using the new UDPSegmentationOffload=,
@@ -118,39 +159,42 @@ CHANGES WITH 232 in spe
118159 new STP=, Priority=, AgeingTimeSec=, and DefaultPVID= settings in the
119160 [Bridge] section of .netdev files.
120161
162+ The route table to which routes received over DHCP or RA should be
163+ added can be configured with the new RouteTable= option in the [DHCP]
164+ and [IPv6AcceptRA] sections of .network files.
165+
121166 Address Resolution Protocol can be disabled on links managed by
122167 systemd-networkd using the ARP=no setting in the [Link] section of
123168 .network files.
124169
125170 * $SERVICE_RESULT, $EXIT_CODE, $EXIT_STATUS are set for ExecStop= and
126171 ExecStopPost= commands.
127172
173+ * systemd-sysctl will now configure kernel parameters in the order
174+ they occur in the configuration files. This mathes what sysctl
175+ has been traditionally doing.
176+
177+ * kernel-install "plugins" that are executed to perform various
178+ tasks after a new kernel is added and before an old one is removed
179+ can now return a special value to terminate the procedure and
180+ prevent any later plugins from running.
181+
128182 * Journald's SplitMode=login setting has been deprecated. It has been
129183 removed from documentation, and it's use is discouraged. In a future
130184 release it will be completely removed, and made equivalent to current
131185 default of SplitMode=uid.
132186
187+ * Storage=both option setting in /etc/systemd/coredump.conf has been
188+ removed. With fast LZ4 compression storing the core dump twice is not
189+ useful.
190+
133191 * The --share-system systemd-nspawn option has been replaced with an
134192 (undocumented) variable $SYSTEMD_NSPAWN_SHARE_SYSTEM, but the use of
135193 this functionality is discouraged. In addition the variables
136194 $SYSTEMD_NSPAWN_SHARE_NS_IPC, $SYSTEMD_NSPAWN_SHARE_NS_PID,
137195 $SYSTEMD_NSPAWN_SHARE_NS_UTS may be used to control the unsharing of
138196 individual namespaces.
139197
140- * systemd-udevd.service is now run in a Seccomp-based sandbox that
141- prohibits access to AF_INET and AF_INET6 sockets and thus access to
142- the network. This might break code that runs from udev rules that
143- tries to talk to the network. Doing that is generally a bad idea and
144- unsafe due to a variety of reasons. It's also racy as device
145- management would race against network configuration. It is
146- recommended to rework such rules to use the SYSTEMD_WANTS property on
147- the relevant devices to pull in a proper systemd service (which can
148- be sandboxed differently and ordered correctly after the network
149- having come up). If that's not possible consider reverting this
150- sandboxing feature locally by removing the RestrictAddressFamilies=
151- setting from the systemd-udevd.service unit file, or adding AF_INET
152- and AF_INET6 to it.
153-
154198CHANGES WITH 231:
155199
156200 * In service units the various ExecXYZ= settings have been extended
0 commit comments