mirror of
https://gitlab.freedesktop.org/NetworkManager/NetworkManager.git
synced 2025-12-20 07:00:05 +01:00
data/NetworkManager.service: restrict the unit some more
This adds some low-hanging food to improve our score with "systemd-analyze security" by one point: Before: → Overall exposure level for NetworkManager.service: 7.8 EXPOSED 🙁 After: → Overall exposure level for NetworkManager.service: 6.8 MEDIUM 😐 Nothing particularly impactful here: we still got DAC_OVERRIDE, we still can insert loadable modules (as opposed to relying on autoload) and read user home directories. But there's a slight chance this may save our butts one day, who knows. https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2062
This commit is contained in:
Lubomir Rintel
parent
dd7252ff0c
commit
2dd3466a78
1 changed files with 10 additions and 1 deletions
|
|
@ -21,8 +21,17 @@ TimeoutStartSec=600
|
|||
|
||||
CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE CAP_AUDIT_WRITE CAP_KILL CAP_SYS_CHROOT
|
||||
|
||||
ProtectSystem=true
|
||||
PrivateTmp=true
|
||||
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=read-only
|
||||
ProtectKernelLogs=true
|
||||
ProtectSystem=true
|
||||
|
||||
RestrictNamespaces=cgroup ipc net mnt pid user uts
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
|
||||
# We require file descriptors for DHCP etc. When activating many interfaces,
|
||||
# the default limit of 1024 is easily reached.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue