From 54e7bdf5823618deede02c27098b6b81f526ae3e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20K=C3=BCthe?= Date: Thu, 1 Feb 2024 21:34:25 +0000 Subject: [PATCH] Hardening systemd unit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Security has been improved from "9.6 UNSAFE 😨" to "2.3 OK πŸ™‚". `systemd-analyze security tinc@` returns now: ``` NAME DESCRIPTION EXPOSURE βœ“ SystemCallFilter=~@swap System call deny list defined for service, and @swap is included βœ“ SystemCallFilter=~@resources System call deny list defined for service, and @resources is included βœ“ SystemCallFilter=~@reboot System call deny list defined for service, and @reboot is included βœ“ SystemCallFilter=~@raw-io System call deny list defined for service, and @raw-io is included βœ“ SystemCallFilter=~@privileged System call deny list defined for service, and @privileged is included βœ“ SystemCallFilter=~@obsolete System call deny list defined for service, and @obsolete is included βœ“ SystemCallFilter=~@mount System call deny list defined for service, and @mount is included βœ“ SystemCallFilter=~@module System call deny list defined for service, and @module is included βœ“ SystemCallFilter=~@debug System call deny list defined for service, and @debug is included βœ“ SystemCallFilter=~@cpu-emulation System call deny list defined for service, and @cpu-emulation is included βœ“ SystemCallFilter=~@clock System call deny list defined for service, and @clock is included βœ— RootDirectory=/RootImage= Service runs within the host's root directory 0.1 SupplementaryGroups= Service runs as root, option does not matter RemoveIPC= Service runs as root, option does not apply βœ— User=/DynamicUser= Service runs as root user 0.4 βœ“ RestrictRealtime= Service realtime scheduling access is restricted βœ“ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock βœ“ NoNewPrivileges= Service processes cannot acquire new privileges βœ— AmbientCapabilities= Service process receives ambient capabilities 0.1 βœ— PrivateDevices= Service potentially has access to hardware devices 0.2 βœ“ CapabilityBoundingSet=~CAP_BPF Service may load BPF programs βœ“ SystemCallArchitectures= Service may execute system calls only with native ABI βœ— RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 βœ— RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 βœ“ ProtectSystem= Service has strict read-only access to the OS file hierarchy βœ“ ProtectProc= Service has restricted access to process tree (/proc hidepid=) βœ“ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access βœ“ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities βœ“ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters βœ— DeviceAllow= Service has no device ACL 0.2 βœ“ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access βœ“ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges βœ“ PrivateTmp= Service has no access to other software's temporary files βœ“ ProcSubset= Service has no access to non-process /proc files (/proc subset=) βœ“ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging βœ“ ProtectHome= Service has no access to home directories βœ— CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2 βœ— CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1 βœ— PrivateNetwork= Service has access to the host's network 0.5 βœ— PrivateUsers= Service has access to other users 0.2 βœ“ KeyringMode= Service doesn't share key material with other services βœ“ Delegate= Service does not maintain its own delegated control group subtree βœ— IPAddressDeny= Service does not define an IP address allow list 0.2 βœ“ NotifyAccess= Service child processes cannot alter service state βœ“ ProtectClock= Service cannot write to the hardware clock or system clock βœ“ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() βœ“ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes βœ“ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer βœ“ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system βœ“ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks βœ“ ProtectControlGroups= Service cannot modify the control group file system βœ“ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable βœ“ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM βœ“ ProtectKernelModules= Service cannot load or read kernel modules βœ“ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules βœ“ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() βœ“ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() βœ“ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() βœ“ PrivateMounts= Service cannot install system mounts βœ“ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks βœ“ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings βœ“ RestrictNamespaces=~user Service cannot create user namespaces βœ“ RestrictNamespaces=~pid Service cannot create process namespaces βœ“ RestrictNamespaces=~net Service cannot create network namespaces βœ“ RestrictNamespaces=~uts Service cannot create hostname namespaces βœ“ RestrictNamespaces=~mnt Service cannot create file system namespaces βœ“ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases βœ“ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes βœ“ RestrictNamespaces=~cgroup Service cannot create cgroup namespaces βœ“ RestrictNamespaces=~ipc Service cannot create IPC namespaces βœ“ ProtectHostname= Service cannot change system host/domainname βœ“ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities βœ“ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities βœ“ LockPersonality= Service cannot change ABI personality βœ“ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) βœ“ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets βœ“ RestrictAddressFamilies=~AF_UNIX Service cannot allocate local sockets βœ“ RestrictAddressFamilies=~… Service cannot allocate exotic sockets βœ“ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC βœ“ RestrictSUIDSGID= SUID/SGID file creation by service is restricted βœ— UMask= Files created by service are world-readable by default 0.1 β†’ Overall exposure level for tinc@test-instance.service: 2.3 OK πŸ™‚ ``` Signed-off-by: Marek KΓΌthe --- systemd/tinc@.service.in | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/systemd/tinc@.service.in b/systemd/tinc@.service.in index 95e869203..2404225d8 100644 --- a/systemd/tinc@.service.in +++ b/systemd/tinc@.service.in @@ -7,6 +7,33 @@ PartOf=tinc.service ReloadPropagatedFrom=tinc.service [Service] +RemoveIPC=true +NoNewPrivileges=true +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE +SystemCallArchitectures=native +SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap +MemoryDenyWriteExecute=true +RestrictSUIDSGID=true +LockPersonality=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK +RestrictRealtime=true +RestrictNamespaces=true +ProtectSystem=strict +ProtectHome=true +ProtectClock=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelTunables=true +ProtectProc=ptraceable +ProcSubset=pid +PrivateTmp=true +PrivateMounts=true +DeviceAllow=/dev/net/tun rwm +DeviceAllow=/dev/net/tap rwm + Type=notify WorkingDirectory=@sysconfdir@/tinc/%i ExecStart=@sbindir@/tincd -n %i -D