On Tue, 06.06.17 11:48, Germano Massullo (germano.massullo(a)gmail.com) wrote:
Hi there, I am the co-maintainer of boinc-client .
boinc-client runs as a service, and both it and its working units run as
'boinc' user and they are confined by SELinux.
Recently, I investigated to figure out why boinc-client, while running
as a service, could not detect videocard for GPU calculus. In order to
fix this problem I had to add Group=video to boinc-client systemd unit file.
I have not yet pushed such change to boinc-client Fedora git, because I
would like to ask you if this can cause a breach into boinc-client
confinement. I mean, I am wondering if a process that can have access to
videocard, could for example read what you are doing on your machine,
the passwords you copy and paste, etc.
The "video" group is pretty broad, it covers video4linux, DRM and related, DVB,
even some firewire stuff. Giving a service access to the local display
hardware means you possibly grant access to reading backing the screen
contents, and giving a service access to the v4l devices means the
service can film the user.
Note sure what "boinc-client" does, but if this isn't turstworthy then
it probably shouldn't be able to get access to "video".
ExecStopPost=/bin/rm -f /var/lib/boinc/lockfile
If this file is not supposed to survive a daemon restart it really
should be placed in /run somewhere.
I don't know your package, but I have the suspicion you should better
use SupplementaryGroups=video than Group=, as the latter chooses the
group your service creates files as, and the former only grants access
to additional resources.
But then again, you probably shouldn't do all this at all, unless your
service shall be able to film your users.
Lennart Poettering, Red Hat