In case you haven't seen: there was a recent kernel vulnerability in a feature called "AF_PACKET". Most services don't need to use the raw sockets this makes available, and on his blog*, Lennart Poettering notes that systemd actually has a feature where services can whitelist or blacklist address families, protecting them from not just this exploit but similar classes. The upcoming systemd v232 will include this by default for systemd's own unit files. But, of course, that's a tiny subset of services in Fedora. So.... Question 1: How can we take advantage of this feature in specific? We could bulk file a bunch of bugs. Or, what about turning on some more restrictive defaults (AF_INET AF_INET6 AF_UNIX) on some flag day in Rawhide, and having services which have different needs add exceptions to their own unit files (either more or less restrictive). Question 2: What about *other* systemd security features? The blog post mentions restricting namespaces as an upcoming feature, and there are other existing ones which we are not using systemically — like PrivateTmp, ProtectSystem, etc. How can we take better advantage of these? * http://0pointer.net/blog/avoiding-cve-2016-8655-with-systemd.html -- Matthew Miller <mattdm@xxxxxxxxxxxxxxxxx> Fedora Project Leader _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
