On Mon, 12 Dec 2016, Matthew Miller wrote:
Question 1: How can we take advantage of this feature in specific?
We
could bulk file a bunch of bugs. Or, what about turning on some more
restrictive defaults (AF_INET AF_INET6 AF_UNIX) on some flag day in
Rawhide, and having services which have different needs add exceptions
to their own unit files (either more or less restrictive).
I don't see the use of a flag day. Everyone can (and should) implement
it in their services file and people can file bug reports for those that
do not?
Question 2: What about *other* systemd security features? The blog
post
mentions restricting namespaces as an upcoming feature, and there are
other existing ones which we are not using systemically — like
PrivateTmp, ProtectSystem, etc. How can we take better advantage of
these?
Same?
Note that I wonder if restricting address families really belongs in
systemd. Why isnt this a libcap-ng capability? That way my software
can support this without depending on systemd.
Paul