networkmanager: harden further with NoNewPrivileges and PrivateTmp
This commit is contained in:
parent
0e2d86ac96
commit
8c256c629b
|
@ -68,8 +68,10 @@ in {
|
||||||
# "CAP_KILL"
|
# "CAP_KILL"
|
||||||
];
|
];
|
||||||
serviceConfig.LockPersonality = true;
|
serviceConfig.LockPersonality = true;
|
||||||
|
serviceConfig.NoNewPrivileges = true;
|
||||||
serviceConfig.PrivateDevices = true; # remount /dev with just the basics, syscall filter to block @raw-io
|
serviceConfig.PrivateDevices = true; # remount /dev with just the basics, syscall filter to block @raw-io
|
||||||
serviceConfig.PrivateIPC = true;
|
serviceConfig.PrivateIPC = true;
|
||||||
|
serviceConfig.PrivateTmp = true;
|
||||||
# serviceConfig.PrivateUsers = true; #< BREAKS NetworkManager (presumably, it causes a new user namespace, breaking CAP_NET_ADMIN & others). "platform-linux: do-change-link[3]: failure 1 (Operation not permitted)"
|
# serviceConfig.PrivateUsers = true; #< BREAKS NetworkManager (presumably, it causes a new user namespace, breaking CAP_NET_ADMIN & others). "platform-linux: do-change-link[3]: failure 1 (Operation not permitted)"
|
||||||
serviceConfig.ProtectClock = true; # syscall filter to prevent changing the RTC
|
serviceConfig.ProtectClock = true; # syscall filter to prevent changing the RTC
|
||||||
serviceConfig.ProtectControlGroups = true;
|
serviceConfig.ProtectControlGroups = true;
|
||||||
|
@ -125,8 +127,10 @@ in {
|
||||||
serviceConfig.User = "networkmanager"; # TODO: should arguably use `DynamicUser`
|
serviceConfig.User = "networkmanager"; # TODO: should arguably use `DynamicUser`
|
||||||
serviceConfig.Group = "networkmanager";
|
serviceConfig.Group = "networkmanager";
|
||||||
serviceConfig.LockPersonality = true;
|
serviceConfig.LockPersonality = true;
|
||||||
|
serviceConfig.NoNewPrivileges = true;
|
||||||
serviceConfig.PrivateDevices = true; # remount /dev with just the basics, syscall filter to block @raw-io
|
serviceConfig.PrivateDevices = true; # remount /dev with just the basics, syscall filter to block @raw-io
|
||||||
serviceConfig.PrivateIPC = true;
|
serviceConfig.PrivateIPC = true;
|
||||||
|
serviceConfig.PrivateTmp = true;
|
||||||
serviceConfig.PrivateUsers = true;
|
serviceConfig.PrivateUsers = true;
|
||||||
serviceConfig.ProtectClock = true; # syscall filter to prevent changing the RTC
|
serviceConfig.ProtectClock = true; # syscall filter to prevent changing the RTC
|
||||||
serviceConfig.ProtectControlGroups = true;
|
serviceConfig.ProtectControlGroups = true;
|
||||||
|
@ -152,8 +156,10 @@ in {
|
||||||
"CAP_NET_RAW"
|
"CAP_NET_RAW"
|
||||||
];
|
];
|
||||||
serviceConfig.LockPersonality = true;
|
serviceConfig.LockPersonality = true;
|
||||||
|
serviceConfig.NoNewPrivileges = true;
|
||||||
# serviceConfig.PrivateDevices = true; # untried, not likely to work. remount /dev with just the basics, syscall filter to block @raw-io
|
# serviceConfig.PrivateDevices = true; # untried, not likely to work. remount /dev with just the basics, syscall filter to block @raw-io
|
||||||
serviceConfig.PrivateIPC = true;
|
serviceConfig.PrivateIPC = true;
|
||||||
|
serviceConfig.PrivateTmp = true;
|
||||||
# serviceConfig.PrivateUsers = true; #< untried, not likely to work
|
# serviceConfig.PrivateUsers = true; #< untried, not likely to work
|
||||||
serviceConfig.ProtectClock = true; # syscall filter to prevent changing the RTC
|
serviceConfig.ProtectClock = true; # syscall filter to prevent changing the RTC
|
||||||
serviceConfig.ProtectControlGroups = true;
|
serviceConfig.ProtectControlGroups = true;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user