On Mon, 12.12.16 13:14, Matthew Miller (mattdm@xxxxxxxxxxxxxxxxx) wrote: > Question 2: What about *other* systemd security features? The blog post > mentions restricting namespaces as an upcoming feature, and there are > other existing ones which we are not using systemically — like > PrivateTmp, ProtectSystem, etc. How can we take better advantage of > these? Hmm, yeah, I should probably blog more about all the nice sandboxing features we have now in systemd. There's quite some stuff now we should enable wherever we can. Specifically ProtectSystem=, ProtectHome=, ProtectKernelTunables=, ProtectKernelModules=, ProtectedControlGroups=, PrivateUsers=, PrivateTmp=, PrivateDevices=, PrivateNetwork=, SystemCallFilter=, RestrictAddressFamilies=, RestrictNamespaces=, MemoryDenyWriteExecute=, RestrictRealtime=. For now, the only docs available for them are the man pages. Not all of them are available on all currently maintained Fedoras, but a good chunk is. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
