[Pkg-utopia-maintainers] Bug#1032326: Bug#1032326: network-manager: need more systemd security features
Michael Biebl
biebl at debian.org
Sat Mar 4 08:16:49 GMT 2023
Control: tags -1 + upstream
Hi Russel,
it's definitely too late to do that for bookworm, so it will have to
wait for trixie.
This also would benefit from upstream feedback and is ideally applied
directly to the upstream provided NetworkManager.service.
Could you thus raise this at
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/ please?
Michael
Am 04.03.23 um 03:55 schrieb Russell Coker:
> Package: network-manager
> Version: 1.42.0-1
> Severity: normal
> Tags: patch
>
> Here is a set of additions to the systemd security policy for this. I have
> tested them with wifi networking and they work. They need more testing before
> including in Debian. We may be able to get a few of them at a suitable level
> of testing for the freeze but probably not most of them.
>
> [Service]
> # no new privs is an obvious one, no setuid programs etc run
> NoNewPrivileges=true
> # protecting kernel logs should be safe
> ProtectKernelLogs=true
> # this program does no CG or namespace management
> ProtectControlGroups=true
> RestrictNamespaces=true
> # protecting modules is probably safe
> ProtectKernelModules=true
> # changing system call arch and personality not needed
> SystemCallArchitectures=native
> LockPersonality=true
> # should be safe probably has no real impact
> UMask=077
> # tested and seems to work, should be obvious if it breaks thingfs
> PrivateTmp=true
> # this would obviously break if it was needed, well written programs wont need it
> MemoryDenyWriteExecute=true
> # no need for realtime stuff
> RestrictRealtime=true
> # no need to create SETUID/SETGID programs
> RestrictSUIDSGID=true
>
> # not sure it needs rfkill, definitely doesnt need most devices
> DeviceAllow=/dev/rfkill
> DevicePolicy=closed
>
> # dhcp hostname and ntp should be a different process, right?
> ProtectHostname=true
> ProtectClock=true
>
> # only needs the @resources group
> SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @swap @obsolete @privileged
>
> # SE Linux does not allow CAP_SYS_CHROOT
> CapabilityBoundingSet=~CAP_SYS_CHROOT
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20230304/f0f3e12e/attachment.sig>
More information about the Pkg-utopia-maintainers
mailing list