summaryrefslogtreecommitdiff
path: root/TODO
diff options
context:
space:
mode:
authorEvgeny Vereshchagin <evvers@ya.ru>2016-09-28 04:50:30 +0300
committerGitHub <noreply@github.com>2016-09-28 04:50:30 +0300
commitcc238590e472e8bbba6da262ac985ea59ad52c72 (patch)
treefc9754e546ccb3a6355bd4157bc590ab93478469 /TODO
parentb8fafaf4a1cffd02389d61ed92ca7acb1b8c739c (diff)
parentcdfbd1fb26eb75fe6beca47dce7e5e348b077d97 (diff)
Merge pull request #4185 from endocode/djalal-sandbox-first-protection-v1
core:sandbox: Add new ProtectKernelTunables=, ProtectControlGroups=, ProtectSystem=strict and fixes
Diffstat (limited to 'TODO')
-rw-r--r--TODO38
1 files changed, 11 insertions, 27 deletions
diff --git a/TODO b/TODO
index e7391f0bfe..a47f4c488b 100644
--- a/TODO
+++ b/TODO
@@ -32,6 +32,8 @@ Janitorial Clean-ups:
Features:
+* switch to ProtectSystem=strict for all our long-running services where that's possible
+
* introduce an "invocation ID" for units, that is randomly generated, and
identifies each runtime-cycle of a unit. It should be set freshly each time
we traverse inactive → activating/active, and should be the primary key to
@@ -40,8 +42,9 @@ Features:
the cgroup of a services. The former is accessible without privileges, the
latter ensures the ID cannot be faked.
-* Introduce ProtectSystem=strict for making the entire OS hierarchy read-only
- except for a select few
+* If RootDirectory= is used, mount /proc, /sys, /dev into it, if not mounted yet
+
+* Permit masking specific netlink APIs with RestrictAddressFamily=
* nspawn: start UID allocation loop from hash of container name
@@ -55,15 +58,13 @@ Features:
* ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc
-* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
-
-* ProtectDevices= should also take iopl/ioperm/pciaccess away
+* ProtectKernelModules= (drops CAP_SYS_MODULE and filters the kmod syscalls)
-* ProtectKeyRing= to take keyring calls away
+* ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away)
-* ProtectControlGroups= which mounts all of /sys/fs/cgroup read-only
+* ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave)
-* ProtectKernelTunables= which mounts /sys and /proc/sys read-only
+* ProtectKeyRing= to take keyring calls away
* RemoveKeyRing= to remove all keyring entries of the specified user
@@ -72,9 +73,6 @@ Features:
* Add BindDirectory= for allowing arbitrary, private bind mounts for services
-* Beef up RootDirectory= to use namespacing/bind mounts as soon as fs
- namespaces are enabled by the service
-
* Add RootImage= for mounting a disk image or file as root directory
* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone)
@@ -180,7 +178,7 @@ Features:
* implement a per-service firewall based on net_cls
* Port various tools to make use of verbs.[ch], where applicable: busctl,
- bootctl, coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl
+ coredumpctl, hostnamectl, localectl, systemd-analyze, timedatectl
* hostnamectl: show root image uuid
@@ -293,9 +291,6 @@ Features:
* MessageQueueMessageSize= (and suchlike) should use parse_iec_size().
-* "busctl status" works only as root on dbus1, since we cannot read
- /proc/$PID/exe
-
* implement Distribute= in socket units to allow running multiple
service instances processing the listening socket, and open this up
for ReusePort=
@@ -306,8 +301,6 @@ Features:
and passes this back to PID1 via SCM_RIGHTS. This also could be used
to allow Chown/chgrp on sockets without requiring NSS in PID 1.
-* New service property: maximum CPU runtime for a service
-
* introduce bus call FreezeUnit(s, b), as well as "systemctl freeze
$UNIT" and "systemctl thaw $UNIT" as wrappers around this. The calls
should SIGSTOP all unit processes in a loop until all processes of
@@ -344,12 +337,10 @@ Features:
error. Currently, we just ignore it and read the unit from the search
path anyway.
-* refuse boot if /etc/os-release is missing or /etc/machine-id cannot be set up
+* refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up
* btrfs raid assembly: some .device jobs stay stuck in the queue
-* make sure gdm does not use multi-user-x but the new default X configuration file, and then remove multi-user-x from systemd
-
* man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted.
* load .d/*.conf dropins for device units
@@ -606,9 +597,6 @@ Features:
* currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not
* nspawn:
- - to allow "linking" of nspawn containers, extend --network-bridge= so
- that it can dynamically create bridge interfaces that are refcounted
- by the containers on them. For each group of containers to link together
- nspawn -x should support ephemeral instances of gpt images
- emulate /dev/kmsg using CUSE and turn off the syslog syscall
with seccomp. That should provide us with a useful log buffer that
@@ -617,8 +605,6 @@ Features:
- as soon as networkd has a bus interface, hook up --network-interface=,
--network-bridge= with networkd, to trigger netdev creation should an
interface be missing
- - don't copy /etc/resolv.conf from host into container unless we are in
- shared-network mode
- a nice way to boot up without machine id set, so that it is set at boot
automatically for supporting --ephemeral. Maybe hash the host machine id
together with the machine name to generate the machine id for the container
@@ -684,7 +670,6 @@ Features:
* coredump:
- save coredump in Windows/Mozilla minidump format
- - move PID 1 segfaults to /var/lib/systemd/coredump?
* support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting)
@@ -751,7 +736,6 @@ Features:
- GC unreferenced jobs (such as .device jobs)
- move PAM code into its own binary
- when we automatically restart a service, ensure we restart its rdeps, too.
- - for services: do not set $HOME in services unless requested
- hide PAM options in fragment parser when compile time disabled
- Support --test based on current system state
- If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle().