On Mon, 07.04.14 15:00, Jaroslav Reznik (jreznik@xxxxxxxxxx) wrote: > * PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services > URL: > https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork; > Announcement: https://lists.fedoraproject.org/pipermail/devel/2014-March/197175.html > > Let's make Fedora more secure by default! Recent systemd versions provide two > per-service switches PrivateDevices?=yes/no and PrivateNetwork?=yes/no which > enable services to run without access to any physical devices in /dev, or > without access to kind of network sockets. So far this has seen little use in > Fedora, and with this Fedora Change we'd like to change this, and enable these > for all long-running services that do not require device/network access. > > notting has question to note: is disconnecting the netlink and audit namespace > truly required, or just merely a choice of what they decided to remove? To answer this: the kernel network namespace thing PrivateNetwork= is built on disconnects all address families at once. There's no choice to only disassociate some address families, either all or none. (except for the weirdness of AF_UNIX sockets in the fs namespace which stay connectable as long as the fs is reachable, see feature page). Lennart -- Lennart Poettering, Red Hat -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
