[Pkg-utopia-maintainers] Bug#1040203: udisks2: should use the systemd-analyze security features
Russell Coker
russell at coker.com.au
Mon Jul 3 13:08:18 BST 2023
Package: udisks2
Version: 2.9.4-4
Severity: normal
I don't think this daemon is a likely target of attack. But I think it's
goot to try and keep the overall score from "systemd-analyze security" as low
as possible.
My tests show that it seems to work OK with the following settings. I think
that more testing is needed before adding all of them. But some of them are
low risk like restricting to AF_UNIX and restricting capabilities and the
system call architecture.
[Service]
CapabilityBoundingSet=CAP_SYS_ADMIN
# needs @resources
SystemCallFilter=~@cpu-emulation @debug @raw-io @reboot @swap @obsolete @privileged
SystemCallArchitectures=native
UMask=077
NoNewPrivileges=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
RestrictNamespaces=true
RestrictSUIDSGID=true
LockPersonality=true
ProtectHostname=true
ProtectKernelTunables=true
RestrictAddressFamilies=AF_UNIX
-- System Information:
Debian Release: 12.0
APT prefers stable-security
APT policy: (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-9-amd64 (SMP w/2 CPU threads; PREEMPT)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default
Versions of packages udisks2 depends on:
ii dbus 1.14.6-1
ii libacl1 2.3.1-3
ii libatasmart4 0.19-5
ii libblockdev-fs2 2.28-2
ii libblockdev-loop2 2.28-2
ii libblockdev-part2 2.28-2
ii libblockdev-swap2 2.28-2
ii libblockdev-utils2 2.28-2
ii libblockdev2 2.28-2
ii libc6 2.36-9
ii libglib2.0-0 2.74.6-2
ii libgudev-1.0-0 237-2
ii libmount1 2.38.1-5+b1
ii libpolkit-agent-1-0 122-3
ii libpolkit-gobject-1-0 122-3
ii libsystemd0 252.6-1
ii libudisks2-0 2.9.4-4
ii libuuid1 2.38.1-5+b1
ii parted 3.5-3
ii udev 252.6-1
Versions of packages udisks2 recommends:
ii dosfstools 4.2-1
ii e2fsprogs 1.47.0-2
ii eject 2.38.1-5+b1
pn exfatprogs <none>
ii libblockdev-crypto2 2.28-2
ii libpam-systemd 252.6-1
ii ntfs-3g 1:2022.10.3-1+b1
ii polkitd 122-3
Versions of packages udisks2 suggests:
ii btrfs-progs 6.2-1
ii f2fs-tools 1.15.0-1
pn libblockdev-mdraid2 <none>
ii mdadm 4.2-5
pn nilfs-tools <none>
pn reiserfsprogs <none>
pn udftools <none>
pn udisks2-bcache <none>
pn udisks2-btrfs <none>
pn udisks2-lvm2 <none>
pn udisks2-zram <none>
pn xfsprogs <none>
-- no debconf information
More information about the Pkg-utopia-maintainers
mailing list