On Wed, 26.03.14 11:28, Bill Nottingham (notting@xxxxxxxx) wrote: > Jaroslav Reznik (jreznik@xxxxxxxxxx) said: > > = Proposed System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For > > Long-Running Services = > > https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork > > > > Change owner(s): Lennart Poettering <lennart at poettering dot net>, Dan > > Walsh, Kay Sievers > > > > Let's make Fedora more secure by default! Recent systemd versions provide two > > per-service switches PrivateDevices=yes/no and PrivateNetwork=yes/no which > > enable services to run without access to any physical devices in /dev, or > > without access to kind of network sockets. So far this has seen little use in > > Fedora, and with this Fedora Change we'd like to change this, and enable these > > for all long-running services that do not require device/network access. > > Can you define 'recent' here? While we wouldn't want to change the behavior > of existing F20 or earlier services, it would be worthwhile to know if > packages built for EPEL 7 could/should use this feature as well. Both PrivateDevices= and PrivateNetwork= I'd only advocate to use on F21 really. PrivateNetwork= should mostly work the same way on F20 already, however with one exception. On F20 and older the notification socket systemd used as backend for sd_notify() and friends was in the abstract namespace which is affected by PrivateNetwork=. This means PrivateNetwork= effectively breaks sd_notify() there. On F21 we moved the socket into the file system instead, which is unaffected by PrivateNetwork=, hence sd_notify() works fine there, regardless if PrivateNetwork() is used or not. (Note that moving the socket is not compat breakage since it was mostly dynamic previously, and hence people already had to check $NOTIFY_SOCKET for it, which allowed us to cleanly move it to a different place. PrivateDevices= is only available in F21. I filed this as feature for F21, and that's what it is about. Since the differences in the effect of PrivateNetwork= between F20 and F21 are hard to explain I really would prefer to focus on F21 only for this. Hope that makes sense, Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
