[systemd-devel] About http://0pointer.net/blog/avoiding-cve-2016-8655-with-systemd.html
Topi Miettinen
toiwoton at gmail.com
Fri Dec 9 19:29:08 UTC 2016
On 12/09/16 00:56, Michael Biebl wrote:
> Btw, I think we are lacking a good systemd sandboxing howto/tutorial.
> The one linked from fdo
> (http://0pointer.de/blog/projects/security.html) is pretty dated and
> the systemd.exec man page is not coherent enough with regards to
> security/sandboxing.
>
> Related to that, I think it would be good if we would annotate in the
> man page, which sandboxing features work for user services and which
> don't. It's not always immediately obvious which feature requires root
> privileges.
Agreed. I started making a tool that helps with the systemd service unit
settings. It's not finished (is any software ever finished), but can
generate reasonable values from a representative test run of the service.
Please check out:
https://github.com/topimiettinen/systemd-settings-generator/blob/master/strace.stp
Earlier announcement:
https://lists.freedesktop.org/archives/systemd-devel/2016-August/037310.html
-Topi
More information about the systemd-devel
mailing list