Re: systmd-analyze security as a release goal
Marco d'Itri <md@Linux.IT> writes:
> This is a good example of what an almost fully sandboxed service looks like:
> https://salsa.debian.org/md/rpki-client/-/blob/master/debian/rpki-client.service
My best score is a little better :-)
On Debian 11 (systemd v247):
→ Overall exposure level for collection4.service: 0.2 SAFE 😀
→ Overall exposure level for rpki-client.service: 1.7 OK 🙂
On Sid (systemd v253):
→ Overall exposure level for collection4.service: 0.4 SAFE 😀
→ Overall exposure level for rpki-client.service: 1.8 OK 🙂
https://github.com/trentbuck/collection4/blob/main/debian/service
PS: I worked out to invoke it in offline mode (for lintian) you do this:
systemd-analyze --offline=yes ./path/to/foo.service
I didn't understand (from the manpage) that I could pass a file instead of a unit name, so
I wasted a lot of time trying to make a minimal --root=tmpdir work.
Also it won't accept "./debian/service", nor a symlink to same.
Reply to: