On 09/12/16 19:13, Christian Hesse wrote:
> From: Christian Hesse <m...@eworm.de>
> ProtectSystem=strict mounts the entire file system hierarchy read-only,
> except for the API file system subtrees /dev, /proc and /sys (which can
> be protected using PrivateDevices=, ProtectKernelTunables=,
> ProtectControlGroups=).
> ProtectHome=true makes the directories /home, /root and /run/user
> inaccessible and empty for the process.

Currently I don't think we can use ProtectedHome= .... as it is fully
possible to save certificates and keys under $HOME/.cert on Fedora/RHEL
(and clones).  There is even a specific SELinux label for files in that
path, home_cert_t.

For the others, I think they are more reasonable ... But I need to dig
into the more murky details to be 100% they are safe for us.  This is
anyhow something we need to postpone until after 2.4.0 ... I don't dare
adding more things which may backfire in rc2, as we're on a strict
schedule to manage the next Debian release.

Once rc2 settles, I will start playing with this patch.

kind regards,

David Sommerseth
OpenVPN Technologies, Inc

Attachment: signature.asc
Description: OpenPGP digital signature

Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/xeonphi
Openvpn-devel mailing list

Reply via email to