daemon ordering
Howard Cochran
howard at badger-technologies.com
Wed Feb 1 20:29:26 UTC 2017
On Wed, Feb 1, 2017 at 2:02 PM, Gustavo Niemeyer <gustavo at niemeyer.net> wrote:
>
> Such embedded devices are still computers on the network. We'll all be much
> better off if they are running their applications confined and secured.
>
> That said, we understand that it takes some time and effort until most
> software is properly confined, which is why we support snaps with classic
> and devmode confinement.
>
> Even there, though, we're keen to ensure that the general model supports a
> comfortable migration towards proper confinement, as that's where we'll all
> want to be in the end, so we shouldn't just go loose and implement features
> that we know will break confinement unnecessarily.
Those are all very good points, and I agree with them. It appears, to
me, though, that systemd has many features that can enhance
confinement and/or tailor it in very targeted ways. It would be nice
to be able to leverage those features. And many of its directives
don't break confinement (especially some very common ones like
Condition* and ExecStartPre/Post, Before, After, PartOf, Wants,
Conflicts, RuntimeDirectory, and others. Perhaps snapcraft could have
a whitelist of allowed directives when confinement mode is strict?
Thanks,
Howard
More information about the Snapcraft
mailing list