Summary of accepted Fedora 21 Changes - weeks 13/14

Lennart Poettering mzerqung at 0pointer.de
Mon Apr 7 15:37:34 UTC 2014


On Mon, 07.04.14 15:00, Jaroslav Reznik (jreznik at redhat.com) wrote:
> * PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services
>   URL: ​
> https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork​
>   Announcement: ​https://lists.fedoraproject.org/pipermail/devel/2014-March/197175.html 
> 
> Let's make Fedora more secure by default! Recent systemd versions provide two 
> per-service switches PrivateDevices?=yes/no and PrivateNetwork?=yes/no which 
> enable services to run without access to any physical devices in /dev, or 
> without access to kind of network sockets. So far this has seen little use in 
> Fedora, and with this Fedora Change we'd like to change this, and enable these 
> for all long-running services that do not require device/network access. 
> 
> notting has question to note: is disconnecting the netlink and audit namespace 
> truly required, or just merely a choice of what they decided to remove? 

To answer this: the kernel network namespace thing PrivateNetwork= is
built on disconnects all address families at once. There's no choice to
only disassociate some address families, either all or none. (except for
the weirdness of AF_UNIX sockets in the fs namespace which stay
connectable as long as the fs is reachable, see feature page).

Lennart

-- 
Lennart Poettering, Red Hat


More information about the devel mailing list