| From: |
| Paul Wouters <paul-AT-nohats.ca> |
| To: |
| Development discussions related to Fedora <devel-AT-lists.fedoraproject.org> |
| Subject: |
| Re: CVE-2016-8655, systemd, and Fedora |
| Date: |
| Mon, 12 Dec 2016 14:41:06 -0500 (EST) |
| Message-ID: |
| <alpine.LRH.2.20.1612121439070.19054@bofh.nohats.ca> |
On Mon, 12 Dec 2016, Matthew Miller wrote:
> Question 1: How can we take advantage of this feature in specific? We
> could bulk file a bunch of bugs. Or, what about turning on some more
> restrictive defaults (AF_INET AF_INET6 AF_UNIX) on some flag day in
> Rawhide, and having services which have different needs add exceptions
> to their own unit files (either more or less restrictive).
I don't see the use of a flag day. Everyone can (and should) implement
it in their services file and people can file bug reports for those that
do not?
> Question 2: What about *other* systemd security features? The blog post
> mentions restricting namespaces as an upcoming feature, and there are
> other existing ones which we are not using systemically — like
> PrivateTmp, ProtectSystem, etc. How can we take better advantage of
> these?
Same?
Note that I wonder if restricting address families really belongs in
systemd. Why isnt this a libcap-ng capability? That way my software
can support this without depending on systemd.
Paul
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-leave@lists.fedoraproject.org
