Il 07/06/2017 09:22, Lennart Poettering ha scritto:
> On Tue, 06.06.17 17:44, Germano Massullo (germano.massu...@gmail.com) wrote:
>
>> 2017-06-06 14:40 GMT+02:00 Lennart Poettering <mzerq...@0pointer.de>:
>>> Note sure what "boinc-client" does, but if this isn't turstworthy then
>>> it probably shouldn't be able to get access to "video".
>> boinc-client is the client side version of BOINC (Berkeley Open
>> Infrastructure for Network Computing). You can use your computers to
>> help scientific research of many different projects. You can think
>> about it as a music player, the projects as the music discs, and the
>> working units as disc tracks.
>> Since working units are closed source software we always considered
>> them not trustworthy, therefore they always runned confined as much as
>> possible
> If so, this sounds like a great candidate for using systemd's
> sandboxing functionality. Things like CapabilityBoundingSet=,
> PrivateTmp=, ProtectSystem=, ProtectHome=, ProtectKernelTunables=,
> ProtectKernelModules=, ProtectControlGroup=, SystemCallFilter=,
> SystemCallArchitectures=, RestrictAddressFamilies=,
> RestrictNamespaces=, RestrictRealtime=, ...
>
> See systemd.exec(5) for more information.
>
> Lennart
>
Thank you, I will consider systemd sandboxing too
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
