In case you haven't seen: there was a recent kernel vulnerability in a
feature called "AF_PACKET". Most services don't need to use the raw
sockets this makes available, and on his blog*, Lennart Poettering notes
that systemd actually has a feature where services can whitelist or
blacklist address families, protecting them from not just this exploit
but similar classes.

The upcoming systemd v232 will include this by default for systemd's
own unit files. But, of course, that's a tiny subset of services in
Fedora. So....

Question 1: How can we take advantage of this feature in specific? We
could bulk file a bunch of bugs. Or, what about turning on some more
restrictive defaults (AF_INET AF_INET6 AF_UNIX) on some flag day in
Rawhide, and having services which have different needs add exceptions
to their own unit files (either more or less restrictive).

Question 2: What about *other* systemd security features? The blog post
mentions restricting namespaces as an upcoming feature, and there are
other existing ones which we are not using systemically — like
PrivateTmp, ProtectSystem, etc. How can we take better advantage of
these?




* http://0pointer.net/blog/avoiding-cve-2016-8655-with-systemd.html


-- 
Matthew Miller
<mat...@fedoraproject.org>
Fedora Project Leader
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Reply via email to