diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-05-12 20:14:46 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-05-12 20:14:46 +0200 |
| commit | 42d61dedcf279b4926d8fd4b600e2d37aa284933 (patch) | |
| tree | 7770c653dc8e0ffc4dc2dddb145a15450248b1b5 | |
| parent | 6900c740e1c2dab6d8f80e64e2fd1cd8c6d368a6 (diff) | |
update TODO
| -rw-r--r-- | TODO | 16 |
1 files changed, 16 insertions, 0 deletions
@@ -33,6 +33,22 @@ Janitorial Clean-ups: Features: +* make sure bash completion uses journalctl --fields to get fields list + +* use phyical_memory() to allow MemoryLimit= configuration based on available system memory + +* ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files + +* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc + +* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) + +* ProtectDevices= should also take iopl/ioperm/pciaccess away + +* ProtectKeyRing= to take keyring calls away + +* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone) + * IAID field must move from [Link] to [DHCP] section in .network files * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things |