[systemd-devel] Use of capabilities in default service files

[Lennart Poettering]

On Mon, 20.07.15 13:24, Florian Weimer (fweimer at redhat.com) wrote:

> What's the intent of these settings?  Is it a form of hardening?  If
> yes, it is rather ineffective because UID=0 does not need any
> capabilities to completely compromise the system.

Well, we run our stuff with minimal attack surface. While the caps
stuff is not a complete sandbox, we should take away all privs we
can. In particular since many of the caps become useful as soon as
you combine them with other options we have, for example
PrivateNetwork=yes, PrivateDevices=yes, ProtectSystem=yes and
PrivateTmp=yes. Because in that case, write access to root-owned files
is quite restricted by other means than just plain access modes...

Of course, even then the sandbox will still have many holes, but I am
happy to improve things where it makes sense. For example, I'd love it
if "hidepid=" would become a true mount option for /proc that we can
set differently for each namespace. Because then we could take away
access to other root-owned processes from a service running as root.

Long story short: the caps bounding set is one piece in a bigger
puzzle. As the only puzzle piece they are pretty shitty, but if you
put them together with others they'll turn into a pretty picture. And
while not all pieces for the complete puzzle might be in the game yet,
we should put the ones together we already possess.

Lennart

-- 
Lennart Poettering, Red Hat