Open spacekitteh opened 7 years ago
This is the best practice list from the mailing list:
CapabilityBoundingSet=...
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
RestrictAddressFamilies=AF_NETLINK AF_UNIX
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources
systemd 232 is on staging (a38f1911d34f2a72e15d5e98d76bece6cb8042a8)
We are on systemd-239 now. Is this still relevant?
Very much so - we are not really making use of the various capabilities to lock things down (yet).
Once systemd-232 is merged (#20156) and things are working, we have a bunch of tasks: