Hi On Thu, Mar 3, 2022 at 9:51 AM Lennart Poettering wrote:
> > Yes, opt-out would be better than opt-in, but it would be a major > compat break, UNIX software doesn't expect to be sandboxed, so if you > sandbox everything out-of-the-box you'll be drowning in bugs, and the > failure modes are not overly nice, i.e. you'll mostly rely on > EPERM/EACCES hopefully being logged sanely by the relevant software. > > ProtectHome= for example implies that a separate mount namespace is > allocated for each service. if you enable that for *all* services at > once, then this means all services will suddenly live in their own > mount namespaces, and the mount they establish will not propagate > elsewhere anymore. Thus you broke at least udisks, storaged, homed, > systemd-runtime-dir@.service and these kinds of things — because they > exist precisely to establish mounts in the system. > What I would suggest here is we make it easier to adopt the opt out model by explicitly setting services to opt out for things they can't handle, ie) if a core set of services we ship within Fedora itself needs some permissions including ProtectHome to false, push for upstream/distro to have those knobs to be false explicitly within the service so the permissions it needs are more clearly documented within the service itself and then if a hardened variant of a distro or a sysadmin wants to flip the model, they will have a considerably easier time with this. Nagging is a good starting point but doesn't go far enough. The adoption of these features is still very low. We can do better. Rahul
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure