Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: Kenton Groombridge <concord@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [RFC] Encouraging using hardening options in systemd units
Date: Thu, 25 Aug 2022 13:26:13
Message-Id: 20220825132559.emms2dctekxy76fi@fuuko
In Reply to: Re: [gentoo-dev] [RFC] Encouraging using hardening options in systemd units by Mike Gilbert
1 On 22/08/22 03:42PM, Mike Gilbert wrote:
2 > On Mon, Aug 22, 2022 at 2:10 PM Kenton Groombridge <concord@g.o> wrote:
3 > > What do you think?
4 >
5 > I am concerned that people will start mass filing bugs with
6 > suggestions without fully understanding them or without testing them
7 > thoroughly. Please don't do that.
8 >
9
10 I had thought of this potentially being a problem as well. I think with this in
11 mind perhaps it would be better to start with creating some documentation on
12 these systemd service options on the wiki, with notes geared for both users and
13 developers and when these options would/would not be a good idea to enable from
14 both perspectives. That way we can at least have some solid reference material
15 when addressing such bugs and providing guidance to developers to improve
16 systemd units in their packages.
17
18 > Also, ideally we would not need to provide systemd units at a distro
19 > level, and they would instead be provided by upstream. I certainly
20 > don't want to start installing distro-customized units where upstream
21 > already provides unit files.
22 >
23
24 I agree! Unfortunately I know of a very small amount of packages where hardened
25 systemd unit files are available but are not supported by upstream. One such
26 upstream includes a hardened systemd unit in their contrib/, but nevertheless it
27 is not installed by default for fear of breaking users' configurations.
28
29 I think the best way to address this is to have packages ship unit override
30 files instead of unit files themselves which enable these options. For example,
31 instead of Gentoo shipping a modified miniflux.service unit file, we can instead
32 install a file to /etc/system/miniflux.service.d/00gentoo.conf using the
33 existing systemd_install_serviced helper in systemd.eclass which enables these
34 options. Then, over time we can merge the modifications we make upstream if
35 upstream wants them. If not, we can continue to ship this override file without
36 changing how the original unit file gets installed.

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] [RFC] Encouraging using hardening options in systemd units Florian Schmaus <flow@g.o>
Report Message
Find on MARC Find on Google Groups