On Tue, Dec 13, 2016 at 10:00:10AM -0500, Matthew Miller wrote: > On Tue, Dec 13, 2016 at 12:14:44PM +0100, Lennart Poettering wrote: > > Well, the security policies need to be adapted to the service in > > question, hence a blanket switch to enable all of them for every > > service is problematic. Let's say you block gettimeofday() > > system-wide, but then run an NTP service: you just broke it... > > > > I fear it's too late to turn on all sandboxing options by default for > > regular services. If we would have had them back when we started we > > of course would have made them opt-out rather than opt-in, but that's > > too late now... > > I'm not so sure it's too late, if we would publicize the change well > enough in advance and have some proven packagers dedicated to finding > any exceptions. It's a matter of how much priority we put on > preventative security measures. You have to take into account non-distro services that people have. Globally disabling certain address families will result in silent and hard to debug failures. I don't there's any other way except to enable this one by one for existing services. > For a less-effort version, we could update > https://fedoraproject.org/wiki/Packaging:Systemd and have an (internal) > marketing campaign asking people to update their packages (as > suggested, ideally upstream). That would be great. This can only be done bottom-up, because usually you need to know some program very very well to know what policies can be applied to it that will not break not just the default configuration, but any reasonable configuration that people might be carrying. Zbyszek _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
