I would like to add a section on sandboxing options to https://fedoraproject.org/wiki/Packaging:Systemd.
See LWN story at https://lwn.net/Articles/709755/ for a nice overview of the background. Systemd developers recommend enabling a number of different directives.
I imagine a section listing these directives and pointing to their documentation, and recommending that they be enabled whenever possible, and that packagers should work with upstream to ensure that they are enabled in upstream service files.
I can create this draft, but I wanted to make sure that there's general agreement on the direction first. I'm also thinking about writing a fedora-review plugin with (optional) checks.
A couple of things:
Is there general consensus on the issue? Has FESCo had anything to say about it? How strong should the recommendation be? I see as reasonable anything from a simple explicit allowance of their use to "MUST if it doesn't impair functionality".
Thanks for the feedback. Yeah, definitely would not try to duplicate existing documentation. I was thinking of listing the suggested options and pointing to the LWN article and the systemd upstream documentation.
I can bring this to FESCo — I think we had reasonable consensus that it's a good idea in the mailing list discussion, but FESCo can help decide how strong the recommendation should be.
Some of these feel like they just should be distro. wide config. changes, Eg.
ProtectKernelModules = true ProtectTmp = true
...I know the later has been tried by SELinux people, but needed exceptions. Anyone know if that's possible (different defaults, with overrides for postgresql/whatever)?
I'm also reluctant to link docs. to that lwn article, as I'm not sure how much an average packager will take from it without a lot of careful reading.
Quick ping for matt, anything we can do here? Anything happening?
I just wanted to re-ping now that the FPC trac has migrated to pagure.
Metadata Update from @tibbs: - Issue close_status updated to: None
I need to re-ping FESCo.
Metadata Update from @tibbs: - Issue tagged with: needinfo
Did FESCo have anything to say?
Not yet. Will check again.
Any updates here? Personally I like the idea but it's coming up on six months now. I'm wondering if this isn't moving because people don't like it or because there are too many other fires to put out.
Fires on my part. Thanks for the reminder again. I took it to FESCo and then lost track. I'll check back.
FESCo issue https://pagure.io/fesco/issue/1663
I submitted a draft policy in https://pagure.io/fesco/issue/1663, the text is under https://fedoraproject.org/wiki/User:Zbyszek/ProtectionsPolicyDraft#Proposed_FESCo_decision. FESCo voted "#agreed draft policy approved and FPC is asked to review and comment and fold into guidelines. (8,0,1) (jsmith was +1 in ticket and tyll was +1 before leaving)". This one is back in your court now.
Ping FPC :)
Metadata Update from @churchyard: - Issue untagged with: needinfo - Issue tagged with: meeting
Thanks.
Metadata Update from @ignatenkobrain: - Issue assigned to ignatenkobrain
Let's revise this on our next meeting.
We discussed this at this weeks meeting (https://meetbot-raw.fedoraproject.org/fedora-meeting-1/2018-09-27/fpc.2018-09-27-16.00.txt):
Metadata Update from @james: - Assignee reset - Issue untagged with: meeting - Issue tagged with: writeup
Guess I get to learn how to do this now.
Login to comment on this ticket.