Re: [exim] Systemd sandboxing, syscalls etc.

Góra strony
Delete this message
Reply to this message
Autor: Heiko Schlittermann
Data:  
Dla: exim-users
Temat: Re: [exim] Systemd sandboxing, syscalls etc.
Kai Bojens via Exim-users <exim-users@???> (Do 13 Feb 2020 13:03:22 CET):
> I was reading this article[1] which was featured on LWN[2] some days
> ago. The blog post is about the systemd sandboxing and a possible way to
> prevent remote code execution as recently with the OpenSMTPD bug. In
> order to secure a daemon one has to know about the required syscalls,
> the capabilities which are needed and so son.
>
> Would it be possible for the Exim project to provide some insights into
> which syscalls, capabilities, access to directores and so on are
> required? That would enable admins like me to restrict exim even more.


Here follow Jeremy's mail. There are many variants of having Exim built.
But I'd support such attempt, to use systemd (or other means)
to restrict the operations, Exim needs to do.

Currently I'm using simplistic systemd service units for Exim startup,
with only some filesystem access restrictions, but I'm definitly interested in
more restrictions, if possible.

--
Heiko