[Pkg-utopia-maintainers] Bug#1040203: udisks2: should use the systemd-analyze security features
Andreas Henriksson
andreas at fatal.se
Tue Jul 4 08:42:20 BST 2023
Control: tags -1 + upstream
Hello Russel Cooker,
On Mon, Jul 03, 2023 at 10:08:18PM +1000, Russell Coker wrote:
> Package: udisks2
> Version: 2.9.4-4
> Severity: normal
>
> I don't think this daemon is a likely target of attack. But I think it's
> goot to try and keep the overall score from "systemd-analyze security" as low
> as possible.
>
> My tests show that it seems to work OK with the following settings. I think
> that more testing is needed before adding all of them. But some of them are
> low risk like restricting to AF_UNIX and restricting capabilities and the
> system call architecture.
I think this is a good idea, but I think it's a much better idea if we
have upstream maintain this along the code changes they make which might
influence what settings you need/want. Upstream provides the
udisks2.service file after all.
Could you create an upstream issue or even pull request?
https://github.com/storaged-project/udisks
>
> [Service]
> CapabilityBoundingSet=CAP_SYS_ADMIN
> # needs @resources
> SystemCallFilter=~@cpu-emulation @debug @raw-io @reboot @swap @obsolete @privileged
> SystemCallArchitectures=native
> UMask=077
> NoNewPrivileges=true
> ProtectKernelLogs=true
> ProtectControlGroups=true
> ProtectKernelModules=true
> RestrictNamespaces=true
> RestrictSUIDSGID=true
> LockPersonality=true
> ProtectHostname=true
> ProtectKernelTunables=true
> RestrictAddressFamilies=AF_UNIX
>
[...]
I'm guessing a topic for discussion upstream will be in which systemd
version respective option was introduced, what version is the minimum
required one upstream thinks is acceptable setting as a requirement and
making sure unsupported options is gracefully ignored.
If you know the answer to any of this for the above options it might be
good to include from the get go.
Regards,
Andreas Henriksson
More information about the Pkg-utopia-maintainers
mailing list