I'd like to ask you to update the guideline to recommend enabling systemd's PrivateDevices= and PrivateNetwork= settings for all long-running services.
This is in-line with the accepted F21 feature posted here (which includes a rationale why):
Proposed text would be:
"If you package a long-running system service, please consider enabling systemd's PrivateDevices= and PrivateNetwork= settings for it, in order to improve security and minimize the attack surface.
When PrivateDevices=yes is set in the [Service] section of a systemd service unit file, the processes run for the service will run in a private file system namespace where /dev is replaced by a minimal version that only includes the device nodes /dev/null, /dev/zero, /dev/full, /dev/urandom, /dev/random, /dev/tty as well as the submounts /dev/shm, /dev/pts, /dev/mqueue, /dev/hugepages, and the /dev/stdout, /dev/stderr, /dev/stdin symlinks. No device nodes for physical devices will be included however. Furthermore, the CAP_MKNOD capability is removed. Finally, the "devices" cgroup controller is used to ensure that no access to device nodes except the listed ones is possible. This is an efficient way to take away physical device access for services, thus minimizing the attack surface.
When PrivateNetwork=yes is set in the [Service] section of a systemd service unit file, the processes run for the service will run in a private network namespace whith a private loopback network interface, and no other network devices. Network communication between host and service can not be initiated. This is an efficient way to take away network access for services, thus minimizing the attack surface.
By default both switches default to "no".
Note that PrivateDevices=yes should not be used for:
Note that PrivateNetwork=yes should not be used for:
For further details see the systemd.exec(5) man page."
(Oh, and please only recommend this for Fedora 21 and newer, before that the two options didn't work the way described above, or didn't exist.)
This was passed, from https://lists.fedoraproject.org/pipermail/packaging/2014-June/010211.html:
The systemd guidelines were revised to include a section about the use of PrivateDevices and PrivateNetwork: https://fedoraproject.org/wiki/Packaging:Systemd#Private_devices_and_networking
Metadata Update from @tibbs:
- Issue assigned to tibbs
to comment on this ticket.