Re: CVE-2016-8655, systemd, and Fedora
On Mon, 12.12.16 13:14, Matthew Miller (mattdm(a)fedoraproject.org) wrote:
Question 2: What about *other* systemd security features? The blog
post
mentions restricting namespaces as an upcoming feature, and there are
other existing ones which we are not using systemically — like
PrivateTmp, ProtectSystem, etc. How can we take better advantage of
these?
Hmm, yeah, I should probably blog more about all the nice sandboxing
features we have now in systemd. There's quite some stuff now we
should enable wherever we can. Specifically ProtectSystem=,
ProtectHome=, ProtectKernelTunables=, ProtectKernelModules=,
ProtectedControlGroups=, PrivateUsers=, PrivateTmp=, PrivateDevices=,
PrivateNetwork=, SystemCallFilter=, RestrictAddressFamilies=,
RestrictNamespaces=, MemoryDenyWriteExecute=, RestrictRealtime=.
For now, the only docs available for them are the man pages. Not all
of them are available on all currently maintained Fedoras, but a good
chunk is.
Lennart
--
Lennart Poettering, Red Hat