[gssproxy] Harden systemd .service file

Most of the configuration options should be straightforward. The previous version of the .service file contained a comment that NoNewPrivileges=yes breaks the ability to open a socket under /var/lib/gssproxy. That does not appear to be correct because ProtectClock=yes was already set, which enables NoNewPrivileges. Furthermore, the comment for ProtectKernelTunables also appears to be incorrect, because it doesn't make all of /proc read-only (it's only /proc/sys/, /sys/, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq, see man systemd.exec(5)), so /proc/net/rpc/use-gss-proxy is still writeable. Perhaps it was a mixup with ProtectProc? With this applied, the "systemd-analyze security gssproxy" score goes from 8.4 (EXPOSED) to 1.6 (OK). Tested with nfs-kernel-server, some more testing in other scenarios might still be necessary. Also, note that this expects all RW data to be stored under /var/lib/gssproxy. Signed-off-by: David Härdeman <[email protected]>
gssapi · Oct 23, 2023 · 00d9796 · 00d9796
1 parent 18a1f55
commit 00d9796
Showing 1 changed file with 37 additions and 17 deletions.
diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
@@ -5,30 +5,50 @@ After=syslog.target network.target
 Before=rpc-gssd.service
 
 [Service]
-StateDirectory=gssproxy/clients gssproxy/rcache
+ConfigurationDirectory=gssproxy
+StateDirectory=gssproxy gssproxy/clients gssproxy/rcache
 Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache
 ExecStart=@sbindir@/gssproxy -i
 # This can be changed to notify-reload and ExecReload= can be removed once
 #   systemd 253 is common enough
 Type=notify
 ExecReload=/bin/kill -HUP $MAINPID
 
-ProtectSystem=full
-ProtectClock=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-RestrictRealtime=true
-# NoNewPrivileges: when true breaks the ability to open a socket
-#   under /var/lib/gssproxy so no NoNewPrivileges
-# PrivateTmp: can't be used as it hides ccaches stored in /tmp
-# ProtectHome: blocks access to /home which may hold ccaches
-# ProtectHostname: blocks propagation of hostname on change
-#   but in some cases, when using a keytab, we may want to see hostname
-#   changes as the server will want to respond only for the system name
-# ProtectKernelTunables: blocks ability to write to proc.
-#   on startup gssproxy needs to write in proc to let nfsd know it can
-#   use the "new" gssproxy method instead of the old rpc stuff.
-
+ProtectSystem=strict
+# Hides ccaches stored in /tmp
+PrivateTmp=no
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateIPC=yes
+# Blocks access to /home which may hold ccaches
+PrivateUsers=no
+ProtectHome=read-only
+# Blocks propagation of hostname on change but when using a keytab, we want to
+# see hostname changes as the server will want to respond only for that name
+ProtectHostname=no
+ProtectClock=yes
+# Does *not* block rw access to /proc/net/rpc/use-gss-proxy
+ProtectKernelTunables=yes
+# Blocks access to /proc/net/rpc/use-gss-proxy and executable name matching
+ProtectProc=default
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_LOCAL
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+PrivateMounts=yes
+# Stricter version=@default @basic-io @file-system @io-event @network-io @signal @ipc @process madvise umask uname
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+IPAddressDeny=any
+UMask=0177
 
 [Install]
 WantedBy=multi-user.target