Re: Tumbleweed - Review of weeks 2021/13 & 14

10 Apr 2021


      On Sat, Apr 10, Michael Ströder wrote:
...
IMO systemd.exec(5) SystemCallFilter= is not crude at all. For me it's a
low-hanging fruit. But differences in systemd versions in Leap and
Tumbleweed are an obstacle.
If you use systemd sandboxing, your system is only protected against
the app if you start it via systemd service file. If you start your
app directly, your system is no longer protected.
AppArmor and SELinux both protect your system, independent of how you
start the app.
That's why systemd sandboxing is no real generic solution.
Thorsten
-- 
Thorsten Kukuk, Distinguished Engineer, Senior Architect SLES & MicroOS
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany
Managing Director: Felix Imendoerffer (HRB 36809, AG Nürnberg)

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

2003

2002

2001

Re: Tumbleweed - Review of weeks 2021/13 & 14