wpa_supplicant: harden systemd service
This commit is contained in:
parent
80eb385c64
commit
09333c992c
|
@ -135,7 +135,29 @@ in {
|
|||
"CAP_NET_ADMIN"
|
||||
"CAP_NET_RAW"
|
||||
];
|
||||
# TODO: it needs only these paths:
|
||||
serviceConfig.LockPersonality = true;
|
||||
# serviceConfig.PrivateDevices = true; # untried, not likely to work. remount /dev with just the basics, syscall filter to block @raw-io
|
||||
serviceConfig.PrivateIPC = true;
|
||||
# serviceConfig.PrivateUsers = true; #< untried, not likely to work
|
||||
serviceConfig.ProtectClock = true; # syscall filter to prevent changing the RTC
|
||||
serviceConfig.ProtectControlGroups = true;
|
||||
serviceConfig.ProtectHome = true; # makes empty: /home, /root, /run/user
|
||||
serviceConfig.ProtectHostname = true; # prevents changing hostname
|
||||
serviceConfig.ProtectKernelLogs = true; # disable /proc/kmsg, /dev/kmsg
|
||||
serviceConfig.ProtectKernelModules = true; # syscall filter to prevent module calls
|
||||
serviceConfig.ProtectKernelTunables = true; #< N.B.: i think this makes certain /proc writes fail
|
||||
serviceConfig.ProtectSystem = "strict"; # makes read-only: all but /dev, /proc, /sys.
|
||||
serviceConfig.RestrictAddressFamilies = [
|
||||
"AF_INET" #< required
|
||||
"AF_INET6"
|
||||
"AF_NETLINK" #< required
|
||||
"AF_PACKET" #< required
|
||||
"AF_UNIX" #< required (wpa_supplicant wants to use dbus)
|
||||
];
|
||||
serviceConfig.RestrictSUIDSGID = true;
|
||||
serviceConfig.SystemCallArchitectures = "native"; # prevents e.g. aarch64 syscalls in the event that the kernel is multi-architecture.
|
||||
|
||||
# from earlier `landlock` sandboxing, i know it needs only these paths:
|
||||
# - "/dev/net"
|
||||
# - "/dev/rfkill"
|
||||
# - "/proc/sys/net"
|
||||
|
|
Loading…
Reference in New Issue
Block a user