Announcement

Collapse
No announcement yet.

Systemd Adds New "ProtectSystem Strict" Option, Other New Tunables

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Systemd Adds New "ProtectSystem Strict" Option, Other New Tunables

    Phoronix: Systemd Adds New "ProtectSystem Strict" Option, Other New Tunables

    Landing over night in systemd Git were several new tunables for offering better system security/protection. The systemd-udevd.service is also now run in a Seccomp-based sandbox to prohibit any network access...

    Phoronix, Linux Hardware Reviews, Linux hardware benchmarks, Linux server benchmarks, Linux benchmarking, Desktop Linux, Linux performance, Open Source graphics, Linux How To, Ubuntu benchmarks, Ubuntu hardware, Phoronix Test Suite

  • #2
    Chrome OS have this minijail which seems really nice. It sandbox applications with seccomp.



    I hope to see more sandboxing in the future.

    Comment


    • #3
      I am feeling like this should be the default. With this approach, packages for an given software are responsible for providing the scripts that lock them down. If it was the other way around (I.E, like android manifest), they would request access to some parts of the system, making it way easier to identify rogue services.
      Or am I wrong?

      That said, it would probably break backward compatibility if it was enforced. Maybe a progressive switch?

      Comment


      • #4
        "The systemd-udevd.service is also now run in a Seccomp-based sandbox to prohibit any network access."
        Is this meant to increase privacy?
        Is this meaning that from now on proprietary drivers for devices like the nvidia graphics one can't phone home or send whatever they want over the network?

        Comment


        • #5
          Originally posted by Danny3 View Post
          "The systemd-udevd.service is also now run in a Seccomp-based sandbox to prohibit any network access."
          Is this meant to increase privacy?
          Is this meaning that from now on proprietary drivers for devices like the nvidia graphics one can't phone home or send whatever they want over the network?
          I think those restrictions only apply to user space.

          Comment


          • #6
            This looks like its for docker? - Ugh systemd.. Can we just say that Linux is no longer a "Unix like" operating system?

            Comment


            • #7
              Originally posted by k1e0x View Post
              This looks like its for docker? - Ugh systemd.. Can we just say that Linux is no longer a "Unix like" operating system?

              I am not sure why you think a security option is for docker? This can protect any daemon. Linux has innovated far beyond Unix like systems for years,

              Comment


              • #8
                Not only, but its a problem. It's a classic problem too, the UID 0 problem.

                "innovated" rrriight... I forgot that systemd is innovative.. heh.. not the word I'd use for systemd-mount or systemd-journald.. maybe omnipotent, monolithic, maniacal, oppressive would be better words.

                Comment


                • #9
                  @michael: typo... "servics"

                  Comment


                  • #10
                    Originally posted by halo9en View Post
                    @michael: typo... "servics"
                    Fixed, thanks.
                    Michael Larabel
                    https://www.michaellarabel.com/

                    Comment

                    Working...
                    X