Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Security has been improved from "9.6 UNSAFE π¨" to "2.3 OK π". `systemd-analyze security tinc@` returns now: ``` NAME DESCRIPTION EXPOSURE β SystemCallFilter=~@swap System call deny list defined for service, and @swap is included β SystemCallFilter=~@resources System call deny list defined for service, and @resources is included β SystemCallFilter=~@reboot System call deny list defined for service, and @reboot is included β SystemCallFilter=~@raw-io System call deny list defined for service, and @raw-io is included β SystemCallFilter=~@PRIVILEGED System call deny list defined for service, and @PRIVILEGED is included β SystemCallFilter=~@obsolete System call deny list defined for service, and @obsolete is included β SystemCallFilter=~@mount System call deny list defined for service, and @mount is included β SystemCallFilter=~@module System call deny list defined for service, and @module is included β SystemCallFilter=~@debug System call deny list defined for service, and @debug is included β SystemCallFilter=~@cpu-emulation System call deny list defined for service, and @cpu-emulation is included β SystemCallFilter=~@clock System call deny list defined for service, and @clock is included β RootDirectory=/RootImage= Service runs within the host's root directory 0.1 SupplementaryGroups= Service runs as root, option does not matter RemoveIPC= Service runs as root, option does not apply β User=/DynamicUser= Service runs as root user 0.4 β RestrictRealtime= Service realtime scheduling access is restricted β CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock β NoNewPrivileges= Service processes cannot acquire new privileges β AmbientCapabilities= Service process receives ambient capabilities 0.1 β PrivateDevices= Service potentially has access to hardware devices 0.2 β CapabilityBoundingSet=~CAP_BPF Service may load BPF programs β SystemCallArchitectures= Service may execute system calls only with native ABI β RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 β RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 β ProtectSystem= Service has strict read-only access to the OS file hierarchy β ProtectProc= Service has restricted access to process tree (/proc hidepid=) β CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access β CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities β CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters β DeviceAllow= Service has no device ACL 0.2 β CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access β CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges β PrivateTmp= Service has no access to other software's temporary files β ProcSubset= Service has no access to non-process /proc files (/proc subset=) β CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging β ProtectHome= Service has no access to home directories β CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2 β CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1 β PrivateNetwork= Service has access to the host's network 0.5 β PrivateUsers= Service has access to other users 0.2 β KeyringMode= Service doesn't share key material with other services β Delegate= Service does not maintain its own delegated control group subtree β IPAddressDeny= Service does not define an IP address allow list 0.2 β NotifyAccess= Service child processes cannot alter service state β ProtectClock= Service cannot write to the hardware clock or system clock β CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() β CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes β ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer β CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system β CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks β ProtectControlGroups= Service cannot modify the control group file system β CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable β CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM β ProtectKernelModules= Service cannot load or read kernel modules β CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules β CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() β CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() β CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() β PrivateMounts= Service cannot install system mounts β CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks β MemoryDenyWriteExecute= Service cannot create writable executable memory mappings β RestrictNamespaces=~user Service cannot create user namespaces β RestrictNamespaces=~pid Service cannot create process namespaces β RestrictNamespaces=~net Service cannot create network namespaces β RestrictNamespaces=~uts Service cannot create hostname namespaces β RestrictNamespaces=~mnt Service cannot create file system namespaces β CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases β CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes β RestrictNamespaces=~cgroup Service cannot create cgroup namespaces β RestrictNamespaces=~ipc Service cannot create IPC namespaces β ProtectHostname= Service cannot change system host/domainname β CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities β CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities β LockPersonality= Service cannot change ABI personality β ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, β¦) β RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets β RestrictAddressFamilies=~AF_UNIX Service cannot allocate local sockets β RestrictAddressFamilies=~β¦ Service cannot allocate exotic sockets β CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC β RestrictSUIDSGID= SUID/SGID file creation by service is restricted β UMask= Files created by service are world-readable by default 0.1 β Overall exposure level for [email protected]: 2.3 OK π ``` Signed-off-by: Marek KΓΌthe <[email protected]>
- Loading branch information
