F21 System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For Long-Running Services

Lennart Poettering mzerqung at 0pointer.de
Thu Mar 27 21:50:06 UTC 2014 

On Wed, 26.03.14 11:28, Bill Nottingham (notting at splat.cc) wrote:

> Jaroslav Reznik (jreznik at redhat.com) said: 
> > = Proposed System Wide Change: PrivateDevices=yes and PrivateNetwork=yes For 
> > Long-Running Services =
> > https://fedoraproject.org/wiki/Changes/PrivateDevicesAndPrivateNetwork
> > 
> > Change owner(s): Lennart Poettering <lennart at poettering dot net>, Dan 
> > Walsh, Kay Sievers
> > 
> > Let's make Fedora more secure by default! Recent systemd versions provide two 
> > per-service switches PrivateDevices=yes/no and PrivateNetwork=yes/no which 
> > enable services to run without access to any physical devices in /dev, or 
> > without access to kind of network sockets. So far this has seen little use in 
> > Fedora, and with this Fedora Change we'd like to change this, and enable these 
> > for all long-running services that do not require device/network access. 
> 
> Can you define 'recent' here? While we wouldn't want to change the behavior
> of existing F20 or earlier services, it would be worthwhile to know if
> packages built for EPEL 7 could/should use this feature as well.

Both PrivateDevices= and PrivateNetwork= I'd only advocate to use on F21
really. 

PrivateNetwork= should mostly work the same way on F20 already, however
with one exception. On F20 and older the notification socket systemd
used as backend for sd_notify() and friends was in the abstract
namespace which is affected by PrivateNetwork=. This means
PrivateNetwork= effectively breaks sd_notify() there. On F21 we moved
the socket into the file system instead, which is unaffected by
PrivateNetwork=, hence sd_notify() works fine there, regardless if
PrivateNetwork() is used or not. (Note that moving the socket is not
compat breakage since it was mostly dynamic previously, and hence people
already had to check $NOTIFY_SOCKET for it, which allowed us to cleanly
move it to a different place.

PrivateDevices= is only available in F21.

I filed this as feature for F21, and that's what it is about. Since the
differences in the effect of PrivateNetwork= between F20 and F21 are
hard to explain I really would prefer to focus on F21 only for this.

Hope that makes sense,

Lennart

-- 
Lennart Poettering, Red Hat

More information about the devel mailing list