On Tue, 13.12.16 01:56, Rahul Sundaram (methe...@gmail.com) wrote: > Hi > > On Mon, Dec 12, 2016 at 4:03 PM Lennart Poettering > > Hmm, yeah, I should probably blog more about all the nice sandboxing > > > features we have now in systemd. > > > It would be useful if we can set these type of options as system wide - for > both the distribution/vendor and for admin overrides with services that can > opt out rather than opt-in
Well, the security policies need to be adapted to the service in question, hence a blanket switch to enable all of them for every service is problematic. Let's say you block gettimeofday() system-wide, but then run an NTP service: you just broke it... I fear it's too late to turn on all sandboxing options by default for regular services. If we would have had them back when we started we of course would have made them opt-out rather than opt-in, but that's too late now... Lennart -- Lennart Poettering, Red Hat _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org
