Hardening systemd unit #451
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Security has been improved from "9.6 UNSAFE 😨" to "2.3 OK 🙂". `systemd-analyze security tinc@` returns now: ``` NAME DESCRIPTION EXPOSURE ✓ SystemCallFilter=~@swap System call deny list defined for service, and @swap is included ✓ SystemCallFilter=~@resources System call deny list defined for service, and @resources is included ✓ SystemCallFilter=~@reboot System call deny list defined for service, and @reboot is included ✓ SystemCallFilter=~@raw-io System call deny list defined for service, and @raw-io is included ✓ SystemCallFilter=~@PRIVILEGED System call deny list defined for service, and @PRIVILEGED is included ✓ SystemCallFilter=~@obsolete System call deny list defined for service, and @obsolete is included ✓ SystemCallFilter=~@mount System call deny list defined for service, and @mount is included ✓ SystemCallFilter=~@module System call deny list defined for service, and @module is included ✓ SystemCallFilter=~@debug System call deny list defined for service, and @debug is included ✓ SystemCallFilter=~@cpu-emulation System call deny list defined for service, and @cpu-emulation is included ✓ SystemCallFilter=~@clock System call deny list defined for service, and @clock is included ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 SupplementaryGroups= Service runs as root, option does not matter RemoveIPC= Service runs as root, option does not apply ✗ User=/DynamicUser= Service runs as root user 0.4 ✓ RestrictRealtime= Service realtime scheduling access is restricted ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock ✓ NoNewPrivileges= Service processes cannot acquire new privileges ✗ AmbientCapabilities= Service process receives ambient capabilities 0.1 ✗ PrivateDevices= Service potentially has access to hardware devices 0.2 ✓ CapabilityBoundingSet=~CAP_BPF Service may load BPF programs ✓ SystemCallArchitectures= Service may execute system calls only with native ABI ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy ✓ ProtectProc= Service has restricted access to process tree (/proc hidepid=) ✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access ✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities ✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters ✗ DeviceAllow= Service has no device ACL 0.2 ✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access ✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges ✓ PrivateTmp= Service has no access to other software's temporary files ✓ ProcSubset= Service has no access to non-process /proc files (/proc subset=) ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging ✓ ProtectHome= Service has no access to home directories ✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2 ✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1 ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ PrivateUsers= Service has access to other users 0.2 ✓ KeyringMode= Service doesn't share key material with other services ✓ Delegate= Service does not maintain its own delegated control group subtree ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✓ NotifyAccess= Service child processes cannot alter service state ✓ ProtectClock= Service cannot write to the hardware clock or system clock ✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() ✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes ✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system ✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks ✓ ProtectControlGroups= Service cannot modify the control group file system ✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable ✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM ✓ ProtectKernelModules= Service cannot load or read kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() ✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() ✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() ✓ PrivateMounts= Service cannot install system mounts ✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks ✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings ✓ RestrictNamespaces=~user Service cannot create user namespaces ✓ RestrictNamespaces=~pid Service cannot create process namespaces ✓ RestrictNamespaces=~net Service cannot create network namespaces ✓ RestrictNamespaces=~uts Service cannot create hostname namespaces ✓ RestrictNamespaces=~mnt Service cannot create file system namespaces ✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes ✓ RestrictNamespaces=~cgroup Service cannot create cgroup namespaces ✓ RestrictNamespaces=~ipc Service cannot create IPC namespaces ✓ ProtectHostname= Service cannot change system host/domainname ✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities ✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities ✓ LockPersonality= Service cannot change ABI personality ✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) ✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets ✓ RestrictAddressFamilies=~AF_UNIX Service cannot allocate local sockets ✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets ✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC ✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted ✗ UMask= Files created by service are world-readable by default 0.1 → Overall exposure level for [email protected]: 2.3 OK 🙂 ``` Signed-off-by: Marek Küthe <[email protected]>
In order to isolate the unit as much as possible, but not lose the functionality to write files, the files are now written to extra directories. Due to the security restrictions, Tinc has lost the ability to write to the `/var/log` and `/var/run` directories. One possibility would be to allow this explicitly, but then Tinc could also access files from other programs. Therefore, an extra directory `/var/log/tinc/` and `/var/run/tinc` is created for Tinc, into which Tinc can then write. The automatic creation of the directories is achieved with the directives `RuntimeDirectory` and `LogsDirectory`. Allowing access to them via `ReadWritePaths`. To create platform compatibility, placeholders such as `%L` for the log directory, `%t` for the runstate directory and `%E` for the configuration file directory are used instead of the absolute directory names. Signed-off-by: Marek Küthe <[email protected]>
|
I have now also tested the whole thing briefly with Tinc 1.1 and after I corrected one thing, everything worked. The background to why this is the case: Another possibility would be to change the default path in the code itself. |
Signed-off-by: Marek Küthe <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Security has been improved from "9.6 UNSAFE 😨" to "2.1 OK 🙂".
systemd-analyze security tinc@returns now:I have successfully tested the change in both router and switch mode in a GNS3 lab between two peers (running tinc from debian stable). However, it would be great if someone else could test this as well.