Summary of accepted Fedora 21 Changes - weeks 13/14
mzerqung at 0pointer.de
Mon Apr 7 15:37:34 UTC 2014
On Mon, 07.04.14 15:00, Jaroslav Reznik (jreznik at redhat.com) wrote:
> * PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services
> Announcement: https://lists.fedoraproject.org/pipermail/devel/2014-March/197175.html
> Let's make Fedora more secure by default! Recent systemd versions provide two
> per-service switches PrivateDevices?=yes/no and PrivateNetwork?=yes/no which
> enable services to run without access to any physical devices in /dev, or
> without access to kind of network sockets. So far this has seen little use in
> Fedora, and with this Fedora Change we'd like to change this, and enable these
> for all long-running services that do not require device/network access.
> notting has question to note: is disconnecting the netlink and audit namespace
> truly required, or just merely a choice of what they decided to remove?
To answer this: the kernel network namespace thing PrivateNetwork= is
built on disconnects all address families at once. There's no choice to
only disassociate some address families, either all or none. (except for
the weirdness of AF_UNIX sockets in the fs namespace which stay
connectable as long as the fs is reachable, see feature page).
Lennart Poettering, Red Hat
More information about the devel