d13ad389b4
My implementation was relying on PrivateDevices, PrivateTmp, PrivateUsers and others to be false by default if chroot-only mode is used. However there is an ongoing effort[1] to change these defaults, which then will actually increase the attack surface in chroot-only mode, because it is expected that there is no /dev, /sys or /proc. If for example PrivateDevices is enabled by default, there suddenly will be a mounted /dev in the chroot and we wouldn't detect it. Fortunately, our tests cover that, but I'm preparing for this anyway so that we have a smoother transition without the need to fix our implementation again. Thanks to @Infinisil for the heads-up. [1]: https://github.com/NixOS/nixpkgs/issues/14645 Signed-off-by: aszlig <aszlig@nix.build> |
||
---|---|---|
.. | ||
wrappers | ||
acme.nix | ||
acme.xml | ||
apparmor-suid.nix | ||
apparmor.nix | ||
audit.nix | ||
auditd.nix | ||
ca.nix | ||
chromium-suid-sandbox.nix | ||
dhparams.nix | ||
duosec.nix | ||
google_oslogin.nix | ||
hidepid.nix | ||
hidepid.xml | ||
lock-kernel-modules.nix | ||
misc.nix | ||
oath.nix | ||
pam_mount.nix | ||
pam_usb.nix | ||
pam.nix | ||
polkit.nix | ||
prey.nix | ||
rngd.nix | ||
rtkit.nix | ||
sudo.nix | ||
systemd-confinement.nix |