On Tue, 06.06.17 11:48, Germano Massullo (germano.massullo@xxxxxxxxx) wrote: > Hi there, I am the co-maintainer of boinc-client [1]. > boinc-client runs as a service, and both it and its working units run as > 'boinc' user and they are confined by SELinux. > Recently, I investigated to figure out why boinc-client, while running > as a service, could not detect videocard for GPU calculus. In order to > fix this problem I had to add Group=video to boinc-client systemd unit file. > I have not yet pushed such change to boinc-client Fedora git, because I > would like to ask you if this can cause a breach into boinc-client > confinement. I mean, I am wondering if a process that can have access to > videocard, could for example read what you are doing on your machine, > the passwords you copy and paste, etc. The "video" group is pretty broad, it covers video4linux, DRM and related, DVB, even some firewire stuff. Giving a service access to the local display hardware means you possibly grant access to reading backing the screen contents, and giving a service access to the v4l devices means the service can film the user. Note sure what "boinc-client" does, but if this isn't turstworthy then it probably shouldn't be able to get access to "video". > ExecStopPost=/bin/rm -f /var/lib/boinc/lockfile If this file is not supposed to survive a daemon restart it really should be placed in /run somewhere. > Group=video I don't know your package, but I have the suspicion you should better use SupplementaryGroups=video than Group=, as the latter chooses the group your service creates files as, and the former only grants access to additional resources. But then again, you probably shouldn't do all this at all, unless your service shall be able to film your users. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
