TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-02-19 19:38:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
tailscale/cmd
History
Frederik “Freso” S. Olesen 83fccf9fe5 tailscaled.service: Lock down clock and /dev (#1071) 
Research in issue #1063 uncovered why tailscaled would fail with
ProtectClock enabled (it implicitly enabled DevicePolicy=closed).

This knowledge in turn also opens the door for locking down /dev
further, e.g. explicitly setting DevicePolicy=strict (instead of
closed), and making /dev private for the unit.

Additional possible future (or downstream) lockdown that can be done
is setting `PrivateDevices=true` (with `BindPaths=/dev/net/`), however,
systemd 233 or later is required for this, and tailscaled currently need
to work for systemd down to version 215.

Closes https://github.com/tailscale/tailscale/issues/1063

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
2021-01-07 10:18:55 -08:00
..
cloner
ipn: use cmd/cloner for Prefs.Clone
2020-10-19 12:15:49 -07:00
derper
wgkey: new package
2020-12-30 17:33:02 -08:00
microproxy
cmd/microproxy: add -insecure flag
2020-09-15 15:07:56 -07:00
mkpkg
cmd/mkpkg: support adding empty directories.
2020-05-04 17:57:13 -04:00
tailscale
wgkey: new package
2020-12-30 17:33:02 -08:00
tailscaled
tailscaled.service: Lock down clock and /dev (#1071)
2021-01-07 10:18:55 -08:00
tsshd
wgengine/monitor: don't call LinkChange when interfaces look unchanged
2020-03-10 11:03:19 -07:00