diff options
| author | Lennart Poettering <lennart@poettering.net> | 2016-11-01 20:25:19 -0600 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2016-11-04 07:40:13 -0600 |
| commit | add005357d535681c7075ced8eec2b6e61b43728 (patch) | |
| tree | b780280f06df0b09c738173602cb90c599597996 /TODO | |
| parent | 9156493171cf2d78e1ac1a3746c385b0e281acf1 (diff) | |
core: add new RestrictNamespaces= unit file setting
This new setting permits restricting whether namespaces may be created and
managed by processes started by a unit. It installs a seccomp filter blocking
certain invocations of unshare(), clone() and setns().
RestrictNamespaces=no is the default, and does not restrict namespaces in any
way. RestrictNamespaces=yes takes away the ability to create or manage any kind
of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces
so that only mount and IPC namespaces may be created/managed, but no other
kind of namespaces.
This setting should be improve security quite a bit as in particular user
namespacing was a major source of CVEs in the kernel in the past, and is
accessible to unprivileged processes. With this setting the entire attack
surface may be removed for system services that do not make use of namespaces.
Diffstat (limited to 'TODO')
| -rw-r--r-- | TODO | 6 |
1 files changed, 0 insertions, 6 deletions
@@ -59,14 +59,10 @@ Features: * define gpt header bits to select volatility mode -* nspawn: mount loopback filesystems with "discard" - * ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc -* ProtectKernelModules= (drops CAP_SYS_MODULE and filters the kmod syscalls) - * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) @@ -88,8 +84,6 @@ Features: * Add RootImage= for mounting a disk image or file as root directory -* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone) - * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things * journalctl: make sure -f ends when the container indicated by -M terminates |