#667 Recommend use of systemd sandboxing directives
Opened 2 years ago by mattdm. Modified a year ago

I would like to add a section on sandboxing options to https://fedoraproject.org/wiki/Packaging:Systemd.

See LWN story at https://lwn.net/Articles/709755/ for a nice overview of the background. Systemd developers recommend enabling a number of different directives.

I imagine a section listing these directives and pointing to their documentation, and recommending that they be enabled whenever possible, and that packagers should work with upstream to ensure that they are enabled in upstream service files.

I can create this draft, but I wanted to make sure that there's general agreement on the direction first. I'm also thinking about writing a fedora-review plugin with (optional) checks.


A couple of things:

  • As a packaging guideline, this shouldn't attempt to be documentation for the various sandboxing options.
  • It's not really up to the packaging committee to make a distro-wide security decision like this. I mean, I guess we could but I don't FPC would generally be considered to be security experts.

Is there general consensus on the issue? Has FESCo had anything to say about it? How strong should the recommendation be? I see as reasonable anything from a simple explicit allowance of their use to "MUST if it doesn't impair functionality".

Thanks for the feedback. Yeah, definitely would not try to duplicate existing documentation. I was thinking of listing the suggested options and pointing to the LWN article and the systemd upstream documentation.

I can bring this to FESCo — I think we had reasonable consensus that it's a good idea in the mailing list discussion, but FESCo can help decide how strong the recommendation should be.

Some of these feel like they just should be distro. wide config. changes, Eg.

ProtectKernelModules = true
ProtectTmp = true

...I know the later has been tried by SELinux people, but needed exceptions. Anyone know if that's possible (different defaults, with overrides for postgresql/whatever)?

I'm also reluctant to link docs. to that lwn article, as I'm not sure how much an average packager will take from it without a lot of careful reading.

Quick ping for matt, anything we can do here? Anything happening?

I just wanted to re-ping now that the FPC trac has migrated to pagure.

Metadata Update from @tibbs:
- Issue close_status updated to: None

2 years ago

I need to re-ping FESCo.

Metadata Update from @tibbs:
- Issue tagged with: needinfo

2 years ago

Did FESCo have anything to say?

Not yet. Will check again.

Any updates here? Personally I like the idea but it's coming up on six months now. I'm wondering if this isn't moving because people don't like it or because there are too many other fires to put out.

Fires on my part. Thanks for the reminder again. I took it to FESCo and then lost track. I'll check back.

I submitted a draft policy in https://pagure.io/fesco/issue/1663, the text is under https://fedoraproject.org/wiki/User:Zbyszek/ProtectionsPolicyDraft#Proposed_FESCo_decision. FESCo voted "#agreed draft policy approved and FPC is asked to review and comment and fold into guidelines. (8,0,1) (jsmith was +1 in ticket and tyll was +1 before leaving)". This one is back in your court now.

Metadata Update from @churchyard:
- Issue untagged with: needinfo
- Issue tagged with: meeting

a year ago

Metadata Update from @ignatenkobrain:
- Issue assigned to ignatenkobrain

a year ago

Let's revise this on our next meeting.

We discussed this at this weeks meeting (https://meetbot-raw.fedoraproject.org/fedora-meeting-1/2018-09-27/fpc.2018-09-27-16.00.txt):

  • #667 Recommend use of systemd sandboxing directives (geppetto,
    16:15:36)
  • ACTION: Recommend use of systemd sandboxing directives (+1:6, 0:0,
    -1:0) (geppetto, 16:34:51)

Metadata Update from @james:
- Assignee reset
- Issue untagged with: meeting
- Issue tagged with: writeup

a year ago

Guess I get to learn how to do this now.

Login to comment on this ticket.

Metadata