A new system call filter group "@filesystem" has been added

Mar 1, 2017 23:46 GMT  ·  By

Lennart Poettering is announcing today, March 1, 2017, the general availability of the systemd 233 init system for Linux-based operating systems that have adopted the open-source technology.

systemd 233 comes four months after the release of the previous version, namely systemd 232, and it's a major update that adds over 70 improvements and bug fixes, as well as some new features. First of, it looks like all the Python scripts that ship with systemd now require Python 3 to be installed on your GNU/Linux distribution.

Prominent features include better compatibility with "legacy" cgroups-v1 setups for the "hybrid" control group mode, the possibility to select the compile or boot time, installation of DBus policy files into /usr instead of /etc by default, as well as the ability for systemd unit tests to run standalone.

Additionally, system 233 removes support for the %R, %r, and %c specifiers in unit files. Another important change implemented in the systemd 233 release is that the CONFIG_CRYPTO_SHA256, CONFIG_CRYPTO_USER_API_HASH, and CONFIG_CRYPTO_HMAC options must be enabled in the kernel with which your OS ships.

systemd 233 is coming soon to a distro near you

systemd 233 also ships with a new system call filter group called "@filesystem" that consists of multiple file system related system calls, along with a brand-new unit file option called "RestrictNamespaces=" so you can restrict access to some of the process namespace types provided by the Linux kernel.

systemd-networkd includes a new IPv6ProxyNDPAddress= .network file setting that allows the configuration of IPv6 Proxy NDP addresses, support for LUKS encrypted root partitions in systemd-gpt-auto-generator, a brand-new DNSSEC root key (KSK) in systemd-resolved, and a new generator "systemd-verity-generator."

"In order to make use of this your partition setup should follow the Discoverable Partitions Specification, and the GPT partition ID of the root file system partition should be identical to the upper 128bit of the Verity root hash. The GPT partition ID of the Verity partition protecting it should be the lower 128bit of the Verity root hash," said Lennart Poettering.

Of course, there are numerous other improvements included in systemd 233, and you can study the full changelog below if you're curious to know what exactly has been changed or added. In the meantime, watch the software repositories of your favorite distro for the systemd 233 packages or download the tarball right now from our website.

Systemd 233 Changelog