| From: |
| Lennart Poettering <mzerqung-AT-0pointer.de> |
| To: |
| Development discussions related to Fedora <devel-AT-lists.fedoraproject.org> |
| Subject: |
| Re: CVE-2016-8655, systemd, and Fedora |
| Date: |
| Mon, 12 Dec 2016 22:02:34 +0100 |
| Message-ID: |
| <20161212210234.GB24871@gardel-login> |
On Mon, 12.12.16 13:14, Matthew Miller (mattdm@fedoraproject.org) wrote:
> Question 2: What about *other* systemd security features? The blog post
> mentions restricting namespaces as an upcoming feature, and there are
> other existing ones which we are not using systemically — like
> PrivateTmp, ProtectSystem, etc. How can we take better advantage of
> these?
Hmm, yeah, I should probably blog more about all the nice sandboxing
features we have now in systemd. There's quite some stuff now we
should enable wherever we can. Specifically ProtectSystem=,
ProtectHome=, ProtectKernelTunables=, ProtectKernelModules=,
ProtectedControlGroups=, PrivateUsers=, PrivateTmp=, PrivateDevices=,
PrivateNetwork=, SystemCallFilter=, RestrictAddressFamilies=,
RestrictNamespaces=, MemoryDenyWriteExecute=, RestrictRealtime=.
For now, the only docs available for them are the man pages. Not all
of them are available on all currently maintained Fedoras, but a good
chunk is.
Lennart
--
Lennart Poettering, Red Hat
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
