Autor: Mike Tubby Data: A: exim-users Assumpte: Re: [exim] Systemd sandboxing, syscalls etc.
On 13/02/2020 13:02, Jeremy Harris via Exim-users wrote: > On 13/02/2020 12:03, Kai Bojens via Exim-users wrote:
>> Would it be possible for the Exim project to provide some insights into
>> which syscalls, capabilities, access to directores and so on are
>> required?
> Not in full. We don't maintain a register of all possibly-used
> syscalls, and Exim can be built with many different combinations
> of libraries, each of which would be using different syscall sets.
>
> So far as filesystem use goes: we regard everything under the
> spooldir top level as fair game, plus the config file and anything
> it includes as config portions. But config content can also
> specify additional file accesses; Ex does not limit where they are
> placed, if any.
... and besides the best thing to do with systemd is to take it outside
and shoot it.
Alternative, and in my opinion, better approaches are:
1. Run Exim on a non-systemd box such as Devuan. Apply security via
apparmor + SELinux
2. Run Exim on a virtual machine with nothing else that matters. If
it gets broken (unlikely) you can just drop the box and stand another
one up.
as you'll never get to the end of sys calls that call, well sys calls,
new libraries using new or old APIs, new kernel versions, etc.