On 09/02/16 19:54, Sebastian Kuzminsky wrote:
> So it sounds useful and valuable, and I can see why people want it
> turned on.
Other systemd features that provide security hardening but might break
some mount-operation patterns include ReadWriteDirectories,
ReadOnlyDirectories, InaccessibleDirectories, ProtectSystem, ProtectHome
and possibly PrivateDevices.
Non-systemd technologies with similar properties include unshare(1) and
most containerization technologies (lxc, Docker, rkt, xdg-app and so
on), because they're all using the same clone(2) and unshare(2) syscalls
behind the scenes. systemd's hardening features are similar to
unshare(1), starting with an uncontained service and selectively cutting
off parts of its access to the host system, while typical containers
start with a mostly-independent container and selectively share parts of
the host system; but they're working along the same spectrum.
Of the systemd things, PrivateTmp is probably the most common because
it's relatively easy to audit whether it's going to break a particular
service, but I'm sure all the others are used somewhere in Debian too.
The game engines that I maintain use most of them for their dedicated
servers, because game servers are network-facing, don't need to access
much outside their sandbox, and are typically written in the sort of C
dialect that tends to be correlated with exploitable bugs.
S
