On Tue, Nov 28, 2017 at 08:22:50PM -0800, Russ Allbery wrote:
My personal pet "I don't have time" project I'd love to see is extending systemd units for as many services in Debian as possible to include namespace restrictions and seccomp filter rules, which I think has good parallel potential alongside an LSM for raising the default security posture of Debian. LSMs deal with per-file restrictions much more easily than systemd's seccomp and namespace support, but the seccomp and namespace support does a lot of other nice things that LSMs aren't as good at.
Yes this would be excellent; a necessary prerequisite would be getting more daemons (and cron-scheduled processes) shipping systemd units too. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Jonathan Dowland ⢿⡄⠘⠷⠚⠋⠀ https://jmtd.net ⠈⠳⣄⠀⠀⠀⠀ Please do not CC me, I am subscribed to the list.