mirror of
https://github.com/tailscale/tailscale.git
synced 2024-12-03 23:15:42 +00:00
83fccf9fe5
Research in issue #1063 uncovered why tailscaled would fail with ProtectClock enabled (it implicitly enabled DevicePolicy=closed). This knowledge in turn also opens the door for locking down /dev further, e.g. explicitly setting DevicePolicy=strict (instead of closed), and making /dev private for the unit. Additional possible future (or downstream) lockdown that can be done is setting `PrivateDevices=true` (with `BindPaths=/dev/net/`), however, systemd 233 or later is required for this, and tailscaled currently need to work for systemd down to version 215. Closes https://github.com/tailscale/tailscale/issues/1063 Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> |
||
---|---|---|
.. | ||
cloner | ||
derper | ||
microproxy | ||
mkpkg | ||
tailscale | ||
tailscaled | ||
tsshd |