On Mon, 12 Dec 2016, Matthew Miller wrote:
Question 1: How can we take advantage of this feature in specific? We could bulk file a bunch of bugs. Or, what about turning on some more restrictive defaults (AF_INET AF_INET6 AF_UNIX) on some flag day in Rawhide, and having services which have different needs add exceptions to their own unit files (either more or less restrictive).
I don't see the use of a flag day. Everyone can (and should) implement it in their services file and people can file bug reports for those that do not?
Question 2: What about *other* systemd security features? The blog post mentions restricting namespaces as an upcoming feature, and there are other existing ones which we are not using systemically — like PrivateTmp, ProtectSystem, etc. How can we take better advantage of these?
Same? Note that I wonder if restricting address families really belongs in systemd. Why isnt this a libcap-ng capability? That way my software can support this without depending on systemd. Paul _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
