On Mon, 20.07.15 13:24, Florian Weimer ([email protected]) wrote: > What's the intent of these settings? Is it a form of hardening? If > yes, it is rather ineffective because UID=0 does not need any > capabilities to completely compromise the system.
Well, we run our stuff with minimal attack surface. While the caps stuff is not a complete sandbox, we should take away all privs we can. In particular since many of the caps become useful as soon as you combine them with other options we have, for example PrivateNetwork=yes, PrivateDevices=yes, ProtectSystem=yes and PrivateTmp=yes. Because in that case, write access to root-owned files is quite restricted by other means than just plain access modes... Of course, even then the sandbox will still have many holes, but I am happy to improve things where it makes sense. For example, I'd love it if "hidepid=" would become a true mount option for /proc that we can set differently for each namespace. Because then we could take away access to other root-owned processes from a service running as root. Long story short: the caps bounding set is one piece in a bigger puzzle. As the only puzzle piece they are pretty shitty, but if you put them together with others they'll turn into a pretty picture. And while not all pieces for the complete puzzle might be in the game yet, we should put the ones together we already possess. Lennart -- Lennart Poettering, Red Hat _______________________________________________ systemd-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/systemd-devel
