Il 07/06/2017 09:22, Lennart Poettering ha scritto:
> On Tue, 06.06.17 17:44, Germano Massullo ([email protected]) wrote:
>
>> 2017-06-06 14:40 GMT+02:00 Lennart Poettering <[email protected]>:
>>> Note sure what "boinc-client" does, but if this isn't turstworthy then
>>> it probably shouldn't be able to get access to "video".
>> boinc-client is the client side version of BOINC (Berkeley Open
>> Infrastructure for Network Computing). You can use your computers to
>> help scientific research of many different projects. You can think
>> about it as a music player, the projects as the music discs, and the
>> working units as disc tracks.
>> Since working units are closed source software we always considered
>> them not trustworthy, therefore they always runned confined as much as
>> possible
> If so, this sounds like a great candidate for using systemd's
> sandboxing functionality. Things like CapabilityBoundingSet=,
> PrivateTmp=, ProtectSystem=, ProtectHome=, ProtectKernelTunables=,
> ProtectKernelModules=, ProtectControlGroup=, SystemCallFilter=,
> SystemCallArchitectures=, RestrictAddressFamilies=,
> RestrictNamespaces=, RestrictRealtime=, ...
>
> See systemd.exec(5) for more information.
>
> Lennart
>
Thank you, I will consider systemd sandboxing too
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
