Hi again,
Ansgar Burchardt wrote (31 Jul 2014 10:04:52 GMT) :
Oh, and one other thing that might be worth mentioning in this context:
| Be careful, though: LSMs might also not tighten constraints on exec
| in no_new_privs mode. (This means that setting up a general-purpose
| service launcher to set no_new_privs before execing daemons may
| interfere with LSM-based sandboxing.)
+--[ Documentation/prctl/no_new_privs.txt ]
I have no idea about LSMs, but I would expect this to only matter if you
either rely on the kernel to setup the sandbox for the service (and do
not use AppArmorProfile=) or if the service executes programs that
should have even tigher restrictions. Both of which should not affect
services like tor, but might be relevant for others.
Indeed, this won't affect the tor service: my intention is to use
AppArmorProfile= in its unit file as soon as systemd v210+ is
available in Debian, to replicate how we're doing it in the
initscript. I'll double-check once we're at this point, though.
Cheers,
--
intrigeri
___
Pkg-systemd-maintainers mailing list
Pkg-systemd-maintainers@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
