[Pkg-utopia-maintainers] Bug#1040203: udisks2: should use the systemd-analyze security features

Russell Coker russell at coker.com.au
Mon Jul 3 13:08:18 BST 2023 

Package: udisks2
Version: 2.9.4-4
Severity: normal

I don't think this daemon is a likely target of attack.  But I think it's
goot to try and keep the overall score from "systemd-analyze security" as low
as possible.

My tests show that it seems to work OK with the following settings.  I think
that more testing is needed before adding all of them.  But some of them are
low risk like restricting to AF_UNIX and restricting capabilities and the
system call architecture.

[Service]
CapabilityBoundingSet=CAP_SYS_ADMIN
# needs @resources
SystemCallFilter=~@cpu-emulation @debug @raw-io @reboot @swap @obsolete @privileged
SystemCallArchitectures=native
UMask=077
NoNewPrivileges=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
RestrictNamespaces=true
RestrictSUIDSGID=true
LockPersonality=true
ProtectHostname=true
ProtectKernelTunables=true
RestrictAddressFamilies=AF_UNIX

-- System Information:
Debian Release: 12.0
  APT prefers stable-security
  APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-9-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages udisks2 depends on:
ii  dbus                   1.14.6-1
ii  libacl1                2.3.1-3
ii  libatasmart4           0.19-5
ii  libblockdev-fs2        2.28-2
ii  libblockdev-loop2      2.28-2
ii  libblockdev-part2      2.28-2
ii  libblockdev-swap2      2.28-2
ii  libblockdev-utils2     2.28-2
ii  libblockdev2           2.28-2
ii  libc6                  2.36-9
ii  libglib2.0-0           2.74.6-2
ii  libgudev-1.0-0         237-2
ii  libmount1              2.38.1-5+b1
ii  libpolkit-agent-1-0    122-3
ii  libpolkit-gobject-1-0  122-3
ii  libsystemd0            252.6-1
ii  libudisks2-0           2.9.4-4
ii  libuuid1               2.38.1-5+b1
ii  parted                 3.5-3
ii  udev                   252.6-1

Versions of packages udisks2 recommends:
ii  dosfstools           4.2-1
ii  e2fsprogs            1.47.0-2
ii  eject                2.38.1-5+b1
pn  exfatprogs           <none>
ii  libblockdev-crypto2  2.28-2
ii  libpam-systemd       252.6-1
ii  ntfs-3g              1:2022.10.3-1+b1
ii  polkitd              122-3

Versions of packages udisks2 suggests:
ii  btrfs-progs          6.2-1
ii  f2fs-tools           1.15.0-1
pn  libblockdev-mdraid2  <none>
ii  mdadm                4.2-5
pn  nilfs-tools          <none>
pn  reiserfsprogs        <none>
pn  udftools             <none>
pn  udisks2-bcache       <none>
pn  udisks2-btrfs        <none>
pn  udisks2-lvm2         <none>
pn  udisks2-zram         <none>
pn  xfsprogs             <none>

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list