After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 750598 - [review] lr/systemd-hardened: add some hardening options to the .service file
[review] lr/systemd-hardened: add some hardening options to the .service file
Status: RESOLVED FIXED
Product: NetworkManager
Classification: Platform
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: NetworkManager maintainer(s)
NetworkManager maintainer(s)
Depends on:
Blocks: nm-review
 
 
Reported: 2015-06-08 20:56 UTC by Lubomir Rintel
Modified: 2015-07-01 14:28 UTC
See Also:
GNOME target: ---
GNOME version: ---



Description Lubomir Rintel 2015-06-08 20:56:11 UTC
systemd offers some easy ways to harden up a service. Let's use that.

Tested with ethernet, wireless & vpnc connections.
Comment 1 Thomas Haller 2015-06-08 21:13:30 UTC
Looks good to me, didn't test :)


Will it work with openvpn and drop privileges (bug 555518)? Maybe lets merge the patch, and solve the issues as the show up?
Comment 2 Dan Williams 2015-06-11 14:29:18 UTC
Do we need to add CAP_SYS_MODULE (for loading the bonding and PPP modules)?  If the capability restrictions follow to child processes then we'll need this, since NM spawns modprobe.

Also, what do we have that uses CAP_NET_BIND_SERVICE?  I know linux capabilities are pretty much abused, but the docs for this say that it allows binding to TCP/UDP sockets below 1024.  Do we do that anywhere?
Comment 3 Thomas Haller 2015-06-11 14:38:34 UTC
(In reply to Dan Williams from comment #2)
> Do we need to add CAP_SYS_MODULE (for loading the bonding and PPP modules)? 
> If the capability restrictions follow to child processes then we'll need
> this, since NM spawns modprobe.

problably yes(?). There is also:

share_init (void)
{
    char *modules[] = { "ip_tables", "iptable_nat", "nf_nat_ftp", "nf_nat_irc",
                     "nf_nat_sip", "nf_nat_tftp", "nf_nat_pptp", "nf_nat_h323",
                       NULL };



> Also, what do we have that uses CAP_NET_BIND_SERVICE?  I know linux
> capabilities are pretty much abused, but the docs for this say that it
> allows binding to TCP/UDP sockets below 1024.  Do we do that anywhere?

Maybe not? For example we start openvpn, but I don't think that has to listen on such a port either.
Comment 4 Lubomir Rintel 2015-07-01 14:28:52 UTC
Well, dnsmasq needs CAP_NET_BIND_SERVICE (and I think the DHCP client?)

Also, SETUID and SETGID are needed for dnsmasq privilege drop.

Tested with openvpn & vpnc and pushed.