Am 09.12.2016 um 01:56 schrieb Michael Biebl:
Btw, I think we are lacking a good systemd sandboxing howto/tutorial.
The one linked from fdo
(http://0pointer.de/blog/projects/security.html) is pretty dated and
the systemd.exec man page is not coherent enough with regards to
security/sandboxing.
Related to that, I think it would be good if we would annotate in the
man page, which sandboxing features work for user services and which
don't. It's not always immediately obvious which feature requires root
privileges
"requires root privileges" - a question here
in my understaing that features are applied *before* drop the privileges
to "User" and "Group"
User=sa-milt
Group=sa-milt
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_PACKET AF_X25
SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime
delete_module fanotify_init finit_module get_mempolicy init_module
io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp
kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages
open_by_handle_at perf_event_open pivot_root process_vm_readv
process_vm_writev ptrace remap_file_pages request_key set_mempolicy
swapoff swapon umount2 uselib vmsplice
_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/systemd-devel