rusty-snake/firejail-systemd.md

Last active September 8, 2021 11:49

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/rusty-snake/c6d773fc27ddde9071461e0fe4010610.js"></script>
Save rusty-snake/c6d773fc27ddde9071461e0fe4010610 to your computer and use it in GitHub Desktop.

Download ZIP

Comparison of systemds hardening options with firejail and vice versa.

Raw

firejail-systemd.md

https://github.com/netblue30/firejail/wiki/Comparison-of-firejail-and-systemd's-hardening-options

kmk3 commented Aug 11, 2021

@topimiettinen commented on Aug 11:

I implemented ExecPaths= and NoExecPaths= in systemd PR
18273, but this has not
been released yet.

This is now merged and released.

Nice.

| Not Implemented | UMask=0077 |

I don't know if this is system-wide, but for single paths, isn't
read-only + noexec equivalent?

Not really, umask is applied when creating new files but read-only or
noexec remount a directory tree with flags to deny writing or executing. A
new umask can be also installed easily (unless prevented with seccomping) but
changing mount flags would need superuser capabilities.

I see; thanks for the explanation. For some reason I thought that the option
was actually about enforcing the permissions rather than just changing the
umask.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment