fdo-mirrors/NetworkManager
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git synced 2025-12-20 16:20:05 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

data/NetworkManager.service: restrict the unit some more

Browse source 
This adds some low-hanging food to improve our score with "systemd-analyze
security" by one point:

Before:
  → Overall exposure level for NetworkManager.service: 7.8 EXPOSED 🙁

After:
  → Overall exposure level for NetworkManager.service: 6.8 MEDIUM 😐

Nothing particularly impactful here: we still got DAC_OVERRIDE, we still
can insert loadable modules (as opposed to relying on autoload) and
read user home directories. But there's a slight chance this may save
our butts one day, who knows.

https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2062
This commit is contained in:
Lubomir Rintel 2024-10-29 16:37:52 +01:00
parent dd7252ff0c
commit 2dd3466a78
1 changed files with 10 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
data/NetworkManager.service.in
View file

@ -21,8 +21,17 @@ TimeoutStartSec=600
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
ProtectSystem=true PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=read-only ProtectHome=read-only
ProtectKernelLogs=true
ProtectSystem=true
RestrictNamespaces=cgroup ipc net mnt pid user uts
RestrictRealtime=true
RestrictSUIDSGID=true
# We require file descriptors for DHCP etc. When activating many interfaces, # We require file descriptors for DHCP etc. When activating many interfaces,
# the default limit of 1024 is easily reached. # the default limit of 1024 is easily reached.