https://github.com/netblue30/firejail/wiki/Comparison-of-firejail-and-systemd's-hardening-options
Last active
September 8, 2021 11:49
-
-
Save rusty-snake/c6d773fc27ddde9071461e0fe4010610 to your computer and use it in GitHub Desktop.
Comparison of systemds hardening options with firejail and vice versa.
@topimiettinen commented on Aug 11:
I implemented
ExecPaths=andNoExecPaths=in systemd PR
18273, but this has not
been released yet.This is now merged and released.
Nice.
| Not Implemented |
UMask=0077|I don't know if this is system-wide, but for single paths, isn't
read-only+noexecequivalent?Not really, umask is applied when creating new files but
read-onlyor
noexecremount a directory tree with flags to deny writing or executing. A
new umask can be also installed easily (unless prevented with seccomping) but
changing mount flags would need superuser capabilities.
I see; thanks for the explanation. For some reason I thought that the option
was actually about enforcing the permissions rather than just changing the
umask.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
For
net eth0there's no equivalent in systemd directives.For
netfilter /etc/firejail/myfilter.net, similar features areIPIngressFilterPath=/IPEgressFilterPath=and more generalBPFProgram=. They use BPF rather than iptables/nftables.Yes. I think there could be also further unification where also
/usr/sbinis just a symlink to/usr/bin.This is now merged and released.
Not really, umask is applied when creating new files but
read-onlyornoexecremount a directory tree with flags to deny writing or executing. A new umask can be also installed easily (unless prevented with seccomping) but changing mount flags would need superuser capabilities.