Systemd provides a bunch of features which can be used to contain and secure services. First, it performs setup like creating runtime directories and opening sockets, so the service doesn't need privileges. Second, it makes it easy to run services as unprivileged users, removing a whole set of problems. Third, it uses kernel features like mount and network namespaces, capabilities, resource limits, to constrain services. Fourth, it implements additional filters using BPF (per-service firewalls, devices controller). Fifth, it does resource cleanup after the service is done, removing the need for privileges again.
We could use this to vastly simplify services and to provide an additional level of security for system services. More and more services in Fedora are making use of this, but the common case is still to run as root will full access to everything the service doesn't need. I'll talk about the features that are the most useful and how they can be used in practice.
Sunday January 26, 2020 3:00pm - 3:55pm CET
D0206Faculty of Information Technology Brno University of Technology, Božetěchova, Brno-Královo Pole, Czechia
