Support sandboxing apps/services/(plinth)
Created by: fonfon
We should add sandboxing capabilities to increase security.
Federico mentioned a very interesting and light-weight solution which is in Debian already: https://l3net.wordpress.com/projects/firejail/
See tutorial at https://wiki.debian.org/ServiceSandboxing
Progress of enabling systemd sandboxing (coverage %):
-
apache (8%) -
avahi (avahi-daemon) -
bind9 (51%) -
cockpit (cockpit.socket) -
coturn (40%) -
datetime (79%) -
deluge (37%) - deluge-web is hardened, deluged is not -
ejabberd (18%) -
firewall (firewalld) -
infinoted (40%) -
janus -
matrix-synapse (40%) -
mediawiki -
minetest (minetest-server) -
minidlna -
mumble (mumble-server) -
openvpn (27%) -
pagekite (56%) -
performance (pmcd, pmie, pmlogger, pmproxy) -
privoxy -
quasselcore (40%) -
samba (smbd, nmbd) -
security (fail2ban) -
shadowsocks (41%) -
ssh (openssh-server) -
syncthing (17%) -
tor (34%) -
transmission (transmission-daemon) -
ttrss (tt-rss) -
upgrades -
users (slapd) -
uwsgi (#1932) -
freedombox-udiskie -
freedombox-setup-repositories
Notes on upstreaming patches:
-
deluge-web: Waiting on bug https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=927197. There is an upstream service file in the source package, but not installed. -
infinoted: Patch updated (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=810865). -
bind9: Bug already open with mostly similar patch, but little activity (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863841) -
matrix-synapse: Opened bug (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=955254) -
quassel-core: Bug opened with patch (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987648) -
coturn -
calibre-server -
janus
Edited by Sunil Mohan Adapa