From 6fb4af730012441adbbc99e87ae137195d7109a5 Mon Sep 17 00:00:00 2001 From: Thomas Haller Date: Wed, 22 Nov 2023 11:11:15 +0100 Subject: [PATCH] cloud-setup: more sandboxing in service file Note that some of those sandboxing options may require relatively recent systemd. In that case, to run against older systemd, you will need to patch the service file. I don't think there is a way around that, and limiting outselves to only the oldest supported option is harmful for users who run recent systemd. See-also: https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening --- NEWS | 1 + src/nm-cloud-setup/nm-cloud-setup.service.in | 10 +++++++++- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 767d692798..7fd1d5fe29 100644 --- a/NEWS +++ b/NEWS @@ -22,6 +22,7 @@ Overview of changes since NetworkManager-1.44 * Limit number of exported IP addresses/routes on D-Bus to 100 to reduce performance cost. Also, D-Bus updates for addresses/routes are now rate limited to 3 per second. +* cloud-setup: enable more sandboxing options in systemd service file. ============================================= NetworkManager-1.44 diff --git a/src/nm-cloud-setup/nm-cloud-setup.service.in b/src/nm-cloud-setup/nm-cloud-setup.service.in index a2b4581f39..e73654d892 100644 --- a/src/nm-cloud-setup/nm-cloud-setup.service.in +++ b/src/nm-cloud-setup/nm-cloud-setup.service.in @@ -22,22 +22,30 @@ ExecStart=@libexecdir@/nm-cloud-setup #Environment=NM_CLOUD_SETUP_ALIYUN=yes CapabilityBoundingSet= +KeyringMode=private LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes PrivateTmp=yes +PrivateUsers=yes +ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes ProtectHostname=yes ProtectKernelLogs=yes ProtectKernelModules=yes ProtectKernelTunables=yes +ProtectProc=invisible ProtectSystem=strict -RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes RestrictSUIDSGID=yes +SystemCallArchitectures=native + +DevicePolicy=closed +PrivateNetwork=no +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 SystemCallFilter=@system-service [Install]