Il 07/06/2017 09:22, Lennart Poettering ha scritto: > On Tue, 06.06.17 17:44, Germano Massullo (germano.massullo@xxxxxxxxx) wrote: > >> 2017-06-06 14:40 GMT+02:00 Lennart Poettering <mzerqung@xxxxxxxxxxx>: >>> Note sure what "boinc-client" does, but if this isn't turstworthy then >>> it probably shouldn't be able to get access to "video". >> boinc-client is the client side version of BOINC (Berkeley Open >> Infrastructure for Network Computing). You can use your computers to >> help scientific research of many different projects. You can think >> about it as a music player, the projects as the music discs, and the >> working units as disc tracks. >> Since working units are closed source software we always considered >> them not trustworthy, therefore they always runned confined as much as >> possible > If so, this sounds like a great candidate for using systemd's > sandboxing functionality. Things like CapabilityBoundingSet=, > PrivateTmp=, ProtectSystem=, ProtectHome=, ProtectKernelTunables=, > ProtectKernelModules=, ProtectControlGroup=, SystemCallFilter=, > SystemCallArchitectures=, RestrictAddressFamilies=, > RestrictNamespaces=, RestrictRealtime=, ... > > See systemd.exec(5) for more information. > > Lennart > Thank you, I will consider systemd sandboxing too _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
