GNOME Bugzilla – Bug 750598
[review] lr/systemd-hardened: add some hardening options to the .service file
Last modified: 2015-07-01 14:28:52 UTC
systemd offers some easy ways to harden up a service. Let's use that. Tested with ethernet, wireless & vpnc connections.
Looks good to me, didn't test :) Will it work with openvpn and drop privileges (bug 555518)? Maybe lets merge the patch, and solve the issues as the show up?
Do we need to add CAP_SYS_MODULE (for loading the bonding and PPP modules)? If the capability restrictions follow to child processes then we'll need this, since NM spawns modprobe. Also, what do we have that uses CAP_NET_BIND_SERVICE? I know linux capabilities are pretty much abused, but the docs for this say that it allows binding to TCP/UDP sockets below 1024. Do we do that anywhere?
(In reply to Dan Williams from comment #2) > Do we need to add CAP_SYS_MODULE (for loading the bonding and PPP modules)? > If the capability restrictions follow to child processes then we'll need > this, since NM spawns modprobe. problably yes(?). There is also: share_init (void) { char *modules[] = { "ip_tables", "iptable_nat", "nf_nat_ftp", "nf_nat_irc", "nf_nat_sip", "nf_nat_tftp", "nf_nat_pptp", "nf_nat_h323", NULL }; > Also, what do we have that uses CAP_NET_BIND_SERVICE? I know linux > capabilities are pretty much abused, but the docs for this say that it > allows binding to TCP/UDP sockets below 1024. Do we do that anywhere? Maybe not? For example we start openvpn, but I don't think that has to listen on such a port either.
Well, dnsmasq needs CAP_NET_BIND_SERVICE (and I think the DHCP client?) Also, SETUID and SETGID are needed for dnsmasq privilege drop. Tested with openvpn & vpnc and pushed.