NetworkManager/data/nm-sudo.service.in

[Unit]
Description=NetworkManager Sudo Helper
#
# nm-sudo exists for privilege separation. It allows to run NetworkManager
# without certain capabilities, and ask nm-sudo for special operations
# where more privileges are required.
#
# While nm-sudo has privileges that NetworkManager has not, it does not
# mean that itself should run totally unconstrained. On the contrary, it
# also should only have permissions it requires.
#
# nm-sudo rejects all requests that come from any other than the name
# owner of "org.freedesktop.NetworkManager" (that is, NetworkManager process
# itself). It is thus only an implementation detail and provides no public
# API to the user.

[Service]
Type=dbus
BusName=org.freedesktop.nm.sudo
ExecStart=@libexecdir@/nm-sudo
NotifyAccess=main

# Extra configuration options. Set via `systemctl edit nm-sudo.service`:
#
# FOR TESTING ONLY: disable authentication to allow requests from
# everybody. Don't set this outside of testing!
#Environment=NM_SUDO_NO_AUTH_FOR_TESTING=1
#
# The logging level for debug messages (to stdout).
#Environment=NM_SUDO_LOG=TRACE
#
# nm-sudo will exit on idle after timeout. Set timeout here
# or set to 2147483647 for infinity.
#Environment=NM_SUDO_IDLE_TIMEOUT_MSEC=10000

[Install]
Alias=dbus-org.freedesktop.nm.sudo.service

[Service]
# Restrict:
AmbientCapabilities=
CapabilityBoundingSet=
PrivateDevices=true
PrivateMounts=true
PrivateNetwork=true
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
RestrictAddressFamilies=
RestrictNamespaces=true
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap
NoNewPrivileges=true
SupplementaryGroups=

# Grant:
CapabilityBoundingSet=CAP_DAC_OVERRIDE
PrivateUsers=no
RestrictAddressFamilies=AF_UNIX
SystemCallFilter=@resources
sudo: introduce nm-sudo D-Bus service NetworkManager runs as root and has lots of capabilities. We want to reduce the attach surface by dropping capabilities, but there is a genuine need to do certain things. For example, we currently require dac_override capability, to open the unix socket of ovsdb. Most users wouldn't use OVS, so we should find a way to not require that dac_override capability. The solution is to have a separate, D-Bus activate service (nm-sudo), which has the capability to open and provide the file descriptor. For authentication, we only rely on D-Bus. We watch the name owner of NetworkManager, and only accept requests from that service. We trust D-Bus to get it right a request from that name owner is really coming from NetworkManager. If we couldn't trust that, how could PolicyKit or any authentication via D-Bus work? For testing, the user can set NM_SUDO_NO_AUTH_FOR_TESTING=1. https://bugzilla.redhat.com/show_bug.cgi?id=1921826 2021-07-18 08:53:43 +02:00			`[Unit]`
nm-sudo: comment environment variables in "nm-sudo.service.in" 2021-07-26 17:34:05 +02:00			`Description=NetworkManager Sudo Helper`
sudo: introduce nm-sudo D-Bus service NetworkManager runs as root and has lots of capabilities. We want to reduce the attach surface by dropping capabilities, but there is a genuine need to do certain things. For example, we currently require dac_override capability, to open the unix socket of ovsdb. Most users wouldn't use OVS, so we should find a way to not require that dac_override capability. The solution is to have a separate, D-Bus activate service (nm-sudo), which has the capability to open and provide the file descriptor. For authentication, we only rely on D-Bus. We watch the name owner of NetworkManager, and only accept requests from that service. We trust D-Bus to get it right a request from that name owner is really coming from NetworkManager. If we couldn't trust that, how could PolicyKit or any authentication via D-Bus work? For testing, the user can set NM_SUDO_NO_AUTH_FOR_TESTING=1. https://bugzilla.redhat.com/show_bug.cgi?id=1921826 2021-07-18 08:53:43 +02:00			`#`
			`# nm-sudo exists for privilege separation. It allows to run NetworkManager`
			`# without certain capabilities, and ask nm-sudo for special operations`
			`# where more privileges are required.`
			`#`
			`# While nm-sudo has privileges that NetworkManager has not, it does not`
			`# mean that itself should run totally unconstrained. On the contrary, it`
			`# also should only have permissions it requires.`
			`#`
			`# nm-sudo rejects all requests that come from any other than the name`
			`# owner of "org.freedesktop.NetworkManager" (that is, NetworkManager process`
			`# itself). It is thus only an implementation detail and provides no public`
			`# API to the user.`

			`[Service]`
			`Type=dbus`
			`BusName=org.freedesktop.nm.sudo`
			`ExecStart=@libexecdir@/nm-sudo`
nm-sudo: fix race during exit-on-idle nm-sudo is D-Bus activated and exits-on-idle. To do that race-free we need: - sd_notify("STOPPING=1") - ReleaseName - keep processing pending requests 2021-08-02 22:30:47 +02:00			`NotifyAccess=main`
sudo: introduce nm-sudo D-Bus service NetworkManager runs as root and has lots of capabilities. We want to reduce the attach surface by dropping capabilities, but there is a genuine need to do certain things. For example, we currently require dac_override capability, to open the unix socket of ovsdb. Most users wouldn't use OVS, so we should find a way to not require that dac_override capability. The solution is to have a separate, D-Bus activate service (nm-sudo), which has the capability to open and provide the file descriptor. For authentication, we only rely on D-Bus. We watch the name owner of NetworkManager, and only accept requests from that service. We trust D-Bus to get it right a request from that name owner is really coming from NetworkManager. If we couldn't trust that, how could PolicyKit or any authentication via D-Bus work? For testing, the user can set NM_SUDO_NO_AUTH_FOR_TESTING=1. https://bugzilla.redhat.com/show_bug.cgi?id=1921826 2021-07-18 08:53:43 +02:00
nm-sudo: comment environment variables in "nm-sudo.service.in" 2021-07-26 17:34:05 +02:00			# Extra configuration options. Set via `systemctl edit nm-sudo.service`:
			`#`
			`# FOR TESTING ONLY: disable authentication to allow requests from`
			`# everybody. Don't set this outside of testing!`
			`#Environment=NM_SUDO_NO_AUTH_FOR_TESTING=1`
			`#`
			`# The logging level for debug messages (to stdout).`
			`#Environment=NM_SUDO_LOG=TRACE`
			`#`
			`# nm-sudo will exit on idle after timeout. Set timeout here`
			`# or set to 2147483647 for infinity.`
			`#Environment=NM_SUDO_IDLE_TIMEOUT_MSEC=10000`
sudo: introduce nm-sudo D-Bus service NetworkManager runs as root and has lots of capabilities. We want to reduce the attach surface by dropping capabilities, but there is a genuine need to do certain things. For example, we currently require dac_override capability, to open the unix socket of ovsdb. Most users wouldn't use OVS, so we should find a way to not require that dac_override capability. The solution is to have a separate, D-Bus activate service (nm-sudo), which has the capability to open and provide the file descriptor. For authentication, we only rely on D-Bus. We watch the name owner of NetworkManager, and only accept requests from that service. We trust D-Bus to get it right a request from that name owner is really coming from NetworkManager. If we couldn't trust that, how could PolicyKit or any authentication via D-Bus work? For testing, the user can set NM_SUDO_NO_AUTH_FOR_TESTING=1. https://bugzilla.redhat.com/show_bug.cgi?id=1921826 2021-07-18 08:53:43 +02:00
			`[Install]`
			`Alias=dbus-org.freedesktop.nm.sudo.service`

			`[Service]`
			`# Restrict:`
			`AmbientCapabilities=`
			`CapabilityBoundingSet=`
			`PrivateDevices=true`
			`PrivateMounts=true`
			`PrivateNetwork=true`
			`PrivateTmp=true`
			`ProtectClock=true`
			`ProtectControlGroups=true`
			`ProtectHome=true`
			`ProtectHostname=true`
			`ProtectKernelLogs=true`
			`ProtectKernelModules=true`
			`ProtectKernelTunables=true`
			`ProtectSystem=strict`
			`RestrictAddressFamilies=`
			`RestrictNamespaces=true`
			`SystemCallFilter=~@clock`
			`SystemCallFilter=~@cpu-emulation`
			`SystemCallFilter=~@debug`
			`SystemCallFilter=~@module`
			`SystemCallFilter=~@mount`
			`SystemCallFilter=~@obsolete`
			`SystemCallFilter=~@privileged`
			`SystemCallFilter=~@raw-io`
			`SystemCallFilter=~@reboot`
			`SystemCallFilter=~@swap`
			`NoNewPrivileges=true`
			`SupplementaryGroups=`

			`# Grant:`
			`CapabilityBoundingSet=CAP_DAC_OVERRIDE`
			`PrivateUsers=no`
			`RestrictAddressFamilies=AF_UNIX`
			`SystemCallFilter=@resources`