[Pkg-utopia-maintainers] Bug#1032326: Bug#1032326: network-manager: need more systemd security features
Michael Biebl
biebl at debian.org
Sat Mar 4 08:23:39 GMT 2023
See also:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/751
"Each sandboxing option will need an individual merge requests and be
reviewed and discussed one at a time. Patches welcome!"
Am 04.03.23 um 09:16 schrieb Michael Biebl:
> Control: tags -1 + upstream
>
> Hi Russel,
>
> it's definitely too late to do that for bookworm, so it will have to
> wait for trixie.
>
> This also would benefit from upstream feedback and is ideally applied
> directly to the upstream provided NetworkManager.service.
>
> Could you thus raise this at
> https://gitlab.freedesktop.org/NetworkManager/NetworkManager/ please?
>
> Michael
>
>
> Am 04.03.23 um 03:55 schrieb Russell Coker:
>> Package: network-manager
>> Version: 1.42.0-1
>> Severity: normal
>> Tags: patch
>>
>> Here is a set of additions to the systemd security policy for this. I
>> have
>> tested them with wifi networking and they work. They need more
>> testing before
>> including in Debian. We may be able to get a few of them at a
>> suitable level
>> of testing for the freeze but probably not most of them.
>>
>> [Service]
>> # no new privs is an obvious one, no setuid programs etc run
>> NoNewPrivileges=true
>> # protecting kernel logs should be safe
>> ProtectKernelLogs=true
>> # this program does no CG or namespace management
>> ProtectControlGroups=true
>> RestrictNamespaces=true
>> # protecting modules is probably safe
>> ProtectKernelModules=true
>> # changing system call arch and personality not needed
>> SystemCallArchitectures=native
>> LockPersonality=true
>> # should be safe probably has no real impact
>> UMask=077
>> # tested and seems to work, should be obvious if it breaks thingfs
>> PrivateTmp=true
>> # this would obviously break if it was needed, well written programs
>> wont need it
>> MemoryDenyWriteExecute=true
>> # no need for realtime stuff
>> RestrictRealtime=true
>> # no need to create SETUID/SETGID programs
>> RestrictSUIDSGID=true
>>
>> # not sure it needs rfkill, definitely doesnt need most devices
>> DeviceAllow=/dev/rfkill
>> DevicePolicy=closed
>>
>> # dhcp hostname and ntp should be a different process, right?
>> ProtectHostname=true
>> ProtectClock=true
>>
>> # only needs the @resources group
>> SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @swap
>> @obsolete @privileged
>>
>> # SE Linux does not allow CAP_SYS_CHROOT
>> CapabilityBoundingSet=~CAP_SYS_CHROOT
>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-utopia-maintainers/attachments/20230304/a57c1e43/attachment-0001.sig>
More information about the Pkg-utopia-maintainers
mailing list