Hi On Tue, Dec 13, 2016 at 12:00 PM Lennart Poettering > Well, some of them are pretty drastic. For example, I think it would
> make a ton of sense to run all daemons where that's possible with > ProtectSystem=strict. This would make the entire directory tree > read-only for them (with the exception of API VFS, i.e. /proc, /sys, > /dev), and then requires ReadWritePaths= to be used to whitelist the > select few paths the service shall be able to write to. > > If we'd globally say that all services now run with > ProtectSystem=strict by default, then we'd break pretty much all > services that want to write something anywhere, until they get updated > with the right ReadWritePaths= statements... And I have the suspicion > that this kind of churn would upset quite a few people... I mean, I am > all for breaking eggs to make an omelette, but not maybe not break all > eggs in the egg carton at once ;-) I am not sure anyone is suggesting breaking things. There is a pretty incremental approach to this which starts off with encouraging services to whitelist things they need and when enough services do that, toggle the equivalent sandboxing feature by default and increase coverage over time. If it requires every service to understand all the sandboxing features and enable it manually, we aren't getting security features by default and we really should. Rahul
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
