On Tue, 06.06.17 17:44, Germano Massullo (germano.massullo@xxxxxxxxx) wrote: > 2017-06-06 14:40 GMT+02:00 Lennart Poettering <mzerqung@xxxxxxxxxxx>: > > Note sure what "boinc-client" does, but if this isn't turstworthy then > > it probably shouldn't be able to get access to "video". > > boinc-client is the client side version of BOINC (Berkeley Open > Infrastructure for Network Computing). You can use your computers to > help scientific research of many different projects. You can think > about it as a music player, the projects as the music discs, and the > working units as disc tracks. > Since working units are closed source software we always considered > them not trustworthy, therefore they always runned confined as much as > possible If so, this sounds like a great candidate for using systemd's sandboxing functionality. Things like CapabilityBoundingSet=, PrivateTmp=, ProtectSystem=, ProtectHome=, ProtectKernelTunables=, ProtectKernelModules=, ProtectControlGroup=, SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, RestrictRealtime=, ... See systemd.exec(5) for more information. Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
