On 09/12/16 19:13, Christian Hesse wrote: > From: Christian Hesse <m...@eworm.de> > > ProtectSystem=strict mounts the entire file system hierarchy read-only, > except for the API file system subtrees /dev, /proc and /sys (which can > be protected using PrivateDevices=, ProtectKernelTunables=, > ProtectControlGroups=). > > ProtectHome=true makes the directories /home, /root and /run/user > inaccessible and empty for the process.
Currently I don't think we can use ProtectedHome= .... as it is fully possible to save certificates and keys under $HOME/.cert on Fedora/RHEL (and clones). There is even a specific SELinux label for files in that path, home_cert_t. For the others, I think they are more reasonable ... But I need to dig into the more murky details to be 100% they are safe for us. This is anyhow something we need to postpone until after 2.4.0 ... I don't dare adding more things which may backfire in rc2, as we're on a strict schedule to manage the next Debian release. Once rc2 settles, I will start playing with this patch. -- kind regards, David Sommerseth OpenVPN Technologies, Inc
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/xeonphi
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
