Re: [exim] Systemd sandboxing, syscalls etc.

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMMike Tubby at <-
.M 
Delete this message
Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] Systemd sandboxing, syscalls etc.
Kai Bojens via Exim-users <exim-users@???> (Do 13 Feb 2020 13:03:22 CET):
> I was reading this article[1] which was featured on LWN[2] some days
> ago. The blog post is about the systemd sandboxing and a possible way to
> prevent remote code execution as recently with the OpenSMTPD bug. In
> order to secure a daemon one has to know about the required syscalls,
> the capabilities which are needed and so son.
>
> Would it be possible for the Exim project to provide some insights into
> which syscalls, capabilities, access to directores and so on are
> required? That would enable admins like me to restrict exim even more.

Here follow Jeremy's mail. There are many variants of having Exim built.
But I'd support such attempt, to use systemd (or other means)
to restrict the operations, Exim needs to do.

Currently I'm using simplistic systemd service units for Exim startup,
with only some filesystem access restrictions, but I'm definitly interested in
more restrictions, if possible.

--
Heiko
This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] Systemd sandboxing, syscalls etc.[exim] Weirdness when forcing TLS and checking that its working in ACLs->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)