F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services
Stephen Gallagher
sgallagh at redhat.com
Wed Mar 26 17:52:14 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/26/2014 11:30 AM, Reindl Harald wrote:
>
> Am 26.03.2014 16:28, schrieb Bill Nottingham:
>> Jaroslav Reznik (jreznik at redhat.com) said:
>>> = Proposed System Wide Change: PrivateDevices=yes and
>>> PrivateNetwork=yes For Long-Running Services =
>>> https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork
>>>
>>>
>>>
Change owner(s): Lennart Poettering <lennart at poettering dot net>, Dan
>>> Walsh, Kay Sievers
>>>
>>> Let's make Fedora more secure by default! Recent systemd
>>> versions provide two per-service switches PrivateDevices=yes/no
>>> and PrivateNetwork=yes/no which enable services to run without
>>> access to any physical devices in /dev, or without access to
>>> kind of network sockets. So far this has seen little use in
>>> Fedora, and with this Fedora Change we'd like to change this,
>>> and enable these for all long-running services that do not
>>> require device/network access.
>>
>> Can you define 'recent' here? While we wouldn't want to change
>> the behavior of existing F20 or earlier services, it would be
>> worthwhile to know if packages built for EPEL 7 could/should use
>> this feature as well
>
> i just tried on F20 and "PrivateDevices" is not known sadly because
> i have some services in mind where i would like that
>
> Mär 26 15:51:55 testserver.rhsoft.net systemd[1]:
> [/usr/lib/systemd/system/httpd.service:15] Unknown lvalue
> 'PrivateDevices' in section 'Service'
>
>
>
PrivateNetwork seems to have been around since at least 2012. The
commit providing PrivateDevices[1] went upstream on January 20th.
According to
git describe 7f112f50fea585411ea2d493b3582bea77eb4d6e
we get v208-1612-g7f112f5 which means it went in 1,612 patches after
v208 was released, so it's definitely not in F20 or RHEL 7 beta.
[1]
http://cgit.freedesktop.org/systemd/systemd/commit/?id=7f112f50fea585411ea2d493b3582bea77eb4d6e&utm_source=anzwix
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMzE84ACgkQeiVVYja6o6NofQCeMJ1RVsfx2/l4Atnr4P5uh0Oq
IWsAoKczKEPdgQI2KUSnuOy0Nl0V/hfD
=N7q3
-----END PGP SIGNATURE-----
More information about the devel
mailing list