Security of confined user/application and access to video group

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there, I am the co-maintainer of boinc-client [1].
boinc-client runs as a service, and both it and its working units run as
'boinc' user and they are confined by SELinux.
Recently, I investigated to figure out why boinc-client, while running
as a service, could not detect videocard for GPU calculus. In order to
fix this problem I had to add Group=video to boinc-client systemd unit file.
I have not yet pushed such change to boinc-client Fedora git, because I
would like to ask you if this can cause a breach into boinc-client
confinement. I mean, I am wondering if a process that can have access to
videocard, could for example read what you are doing on your machine,
the passwords you copy and paste, etc.
What do you think about?

Best regards

For convenience I attached boinc-client unit file

=================================
[Unit]
Description=Berkeley Open Infrastructure Network Computing Client
Documentation=man:boinc(1)
After=network-online.target

[Service]
Type=forking
Nice=10
User=boinc
WorkingDirectory=/var/lib/boinc
ExecStart=/usr/bin/boinc_client --daemon --start_delay 1
ExecStop=/usr/bin/boinccmd --quit
ExecReload=/usr/bin/boinccmd --read_cc_config
ExecStopPost=/bin/rm -f /var/lib/boinc/lockfile
IOSchedulingClass=idle
Environment=LD_LIBRARY_PATH=/opt/amdgpu-pro/lib64
Group=video

[Install]
WantedBy=multi-user.target
=================================

[1]: https://admin.fedoraproject.org/pkgdb/package/rpms/boinc-client/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]
  Powered by Linux