[systemd-devel] About http://0pointer.net/blog/avoiding-cve-2016-8655-with-systemd.html

Reindl Harald h.reindl at thelounge.net
Fri Dec 9 01:01:01 UTC 2016



Am 09.12.2016 um 01:56 schrieb Michael Biebl:
> Btw, I think we are lacking a good systemd sandboxing howto/tutorial.
> The one linked from fdo
> (http://0pointer.de/blog/projects/security.html) is pretty dated and
> the systemd.exec man page is not coherent enough with regards to
> security/sandboxing.
>
> Related to that, I think it would be good if we would annotate in the
> man page, which sandboxing features work for user services and which
> don't. It's not always immediately obvious which feature requires root
> privileges

"requires root privileges" - a question here


in my understaing that features are applied *before* drop the privileges 
to "User" and "Group"

User=sa-milt
Group=sa-milt
PrivateTmp=yes
PrivateDevices=yes
NoNewPrivileges=yes
CapabilityBoundingSet=CAP_KILL
RestrictAddressFamilies=~AF_APPLETALK AF_ATMPVC AF_AX25 AF_PACKET AF_X25
SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime 
delete_module fanotify_init finit_module get_mempolicy init_module 
io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp 
kexec_load keyctl lookup_dcookie mbind migrate_pages mount move_pages 
open_by_handle_at perf_event_open pivot_root process_vm_readv 
process_vm_writev ptrace remap_file_pages request_key set_mempolicy 
swapoff swapon umount2 uselib vmsplice


More information about the systemd-devel mailing list