On Mon, Dec 12, 2016 at 01:14:27PM -0500, Matthew Miller wrote: > In case you haven't seen: there was a recent kernel vulnerability in a > feature called "AF_PACKET". Most services don't need to use the raw > sockets this makes available, and on his blog*, Lennart Poettering notes > that systemd actually has a feature where services can whitelist or > blacklist address families, protecting them from not just this exploit > but similar classes. > > The upcoming systemd v232 will include this by default for systemd's > own unit files. But, of course, that's a tiny subset of services in > Fedora. So.... > > Question 1: How can we take advantage of this feature in specific? We > could bulk file a bunch of bugs. Or, what about turning on some more > restrictive defaults (AF_INET AF_INET6 AF_UNIX) on some flag day in > Rawhide, and having services which have different needs add exceptions > to their own unit files (either more or less restrictive). If you go this route, please do not file the bugs in Fedora bugzilla, but in corresponding upstream projects. We shouldn't diverge from upstream units, and patching units downstream is just that - a divergence. -- Tomasz Torcz Morality must always be based on practicality. xmpp: zdzichubg@xxxxxxxxx -- Baron Vladimir Harkonnen _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
