New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(firewalld): drop linux capabilities #825
Conversation
Drop capabilities to a minimal set via python3-capng. This is an optional dependency. If the python import fails then all capabilities are kept.
@mbiebl. FYI, in case you want to add this optional dependency in Debian. |
Wouldn't it be easier to just use systemd's builtin mechanisms for dropping capabilities? |
I think dropping in the daemon is just as easy. Two reasons to drop in the daemon vs systemd service definition:
The python dependency is optional. There is no harm in downstream changes to drop capabilities in systemd and avoid the packaging dependency on python-capng. |
Well, changing it downstream has the downside that I need to keep the list of caps up-to-date in the .service file. Can you give me any pointers which parts of the testsuite cover/require dropping of caps? I also noticed, that event after installing python3-cap-ng (0.7.9) on Debian, I don't get
in my journal log. What am I doing wrong?
|
btw, would it be possible to log this to the journal (when systemd is used)? I'm so used to the journal by now, that I find it cumbersome having to check external log files. |
There are no tests specific to dropping capabilities. I meant that the entire testsuite runs with reduced capabilities. Which verifies that running with reduced capabilities actually works.
It's possible SELinux is blocking it. That was the case in Fedora. |
I don't know how you'd do that. Would firewalld have to detect it's running with reduced capabilities? |
No description provided.