[Pkg-utopia-maintainers] Bug#1032326: network-manager: need more systemd security features

Russell Coker russell at coker.com.au
Sat Mar 4 02:55:55 GMT 2023 

Package: network-manager
Version: 1.42.0-1
Severity: normal
Tags: patch

Here is a set of additions to the systemd security policy for this.  I have
tested them with wifi networking and they work.  They need more testing before
including in Debian.  We may be able to get a few of them at a suitable level
of testing for the freeze but probably not most of them.

[Service]
# no new privs is an obvious one, no setuid programs etc run
NoNewPrivileges=true
# protecting kernel logs should be safe
ProtectKernelLogs=true
# this program does no CG or namespace management
ProtectControlGroups=true
RestrictNamespaces=true
# protecting modules is probably safe
ProtectKernelModules=true
# changing system call arch and personality not needed
SystemCallArchitectures=native
LockPersonality=true
# should be safe probably has no real impact
UMask=077
# tested and seems to work, should be obvious if it breaks thingfs
PrivateTmp=true
# this would obviously break if it was needed, well written programs wont need it
MemoryDenyWriteExecute=true
# no need for realtime stuff
RestrictRealtime=true
# no need to create SETUID/SETGID programs
RestrictSUIDSGID=true

# not sure it needs rfkill, definitely doesnt need most devices
DeviceAllow=/dev/rfkill
DevicePolicy=closed

# dhcp hostname and ntp should be a different process, right?
ProtectHostname=true
ProtectClock=true

# only needs the @resources group
SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @swap @obsolete @privileged

# SE Linux does not allow CAP_SYS_CHROOT
CapabilityBoundingSet=~CAP_SYS_CHROOT

-- System Information:
Debian Release: bookworm/sid
  APT prefers testing-debug
  APT policy: (500, 'testing-debug'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-5-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: SELinux: enabled - Mode: Enforcing - Policy name: default

Versions of packages network-manager depends on:
ii  adduser                         3.131
ii  dbus [default-dbus-system-bus]  1.14.6-1
ii  libaudit1                       1:3.0.9-1
ii  libbluetooth3                   5.66-1
ii  libc6                           2.36-8
ii  libcurl3-gnutls                 7.88.1-1
ii  libglib2.0-0                    2.74.5-1
ii  libgnutls30                     3.7.9-1
ii  libjansson4                     2.14-2
ii  libmm-glib0                     1.20.4-1
ii  libndp0                         1.8-1
ii  libnewt0.52                     0.52.23-1+b1
ii  libnm0                          1.42.0-1
ii  libpsl5                         0.21.2-1
ii  libreadline8                    8.2-1.3
ii  libselinux1                     3.4-1+b5
ii  libsystemd0                     252.5-2
ii  libteamdctl0                    1.31-1
ii  libudev1                        252.5-2
ii  policykit-1                     122-3
ii  polkitd                         122-3
ii  udev                            252.5-2

Versions of packages network-manager recommends:
ii  dnsmasq-base [dnsmasq-base]  2.89-1
ii  libpam-systemd               252.5-2
pn  modemmanager                 <none>
ii  ppp                          2.4.9-1+1.1+b1
ii  wireless-regdb               2022.06.06-1
ii  wpasupplicant                2:2.10-11

Versions of packages network-manager suggests:
ii  iptables       1.8.9-2
pn  libteam-utils  <none>

Versions of packages network-manager is related to:
ii  isc-dhcp-client  4.4.3-P1-1.1

-- Configuration Files:
/etc/NetworkManager/NetworkManager.conf [Errno 13] Permission denied: '/etc/NetworkManager/NetworkManager.conf'
/etc/NetworkManager/dispatcher.d/01-ifupdown [Errno 13] Permission denied: '/etc/NetworkManager/dispatcher.d/01-ifupdown'

-- no debconf information

More information about the Pkg-utopia-maintainers mailing list