From 29cf8436b82b09188a29333eebafb2167eb2da4e Mon Sep 17 00:00:00 2001 From: Michael Prokop Date: Mon, 14 Sep 2020 18:09:54 +0200 Subject: [PATCH] TT#76552 Harden ngcp-mediator service MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ngcp-mediator service state BEFORE this change: | $ systemd-analyze security ngcp-mediator | tail -1 | → Overall exposure level for ngcp-mediator.service: 9.5 UNSAFE 😨 ngcp-mediator service state AFTER this change: | $ sudo COLUMNS=142 systemd-analyze security ngcp-mediator | grep -v '✓' | NAME DESCRIPTION EXPOSURE | ✗ PrivateNetwork= Service has access to the host's network 0.5 | ✗ User=/DynamicUser= Service runs as root user 0.4 | ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 | ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3 | ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 | ✗ IPAddressDeny= Service defines IP address whitelits with only localhost entries 0.1 | ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2 | ✗ SystemCallFilter=~@privileged System call whitelist defined for service, and @privileged is included 0.2 | ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 | ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 | SupplementaryGroups= Service runs as root, option does not matter | RemoveIPC= Service runs as root, option does not apply | ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 | | → Overall exposure level for ngcp-mediator.service: 2.0 OK 🙂 Change-Id: If33c303b9df465393f15c0b685d1aab54a465df6 --- debian/ngcp-mediator.service | 78 ++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) diff --git a/debian/ngcp-mediator.service b/debian/ngcp-mediator.service index 6657e0b..a39a851 100644 --- a/debian/ngcp-mediator.service +++ b/debian/ngcp-mediator.service @@ -10,6 +10,84 @@ Wants=redis-server.service Type=notify ExecStart=/usr/bin/ngcp-mediator +# Service cannot create writable executable memory mappings that are writable and executable at the same time +MemoryDenyWriteExecute=true + +# Service cannot modify the control group file system (via /sys/fs/cgroup) +ProtectControlGroups=true + +# Service cannot load or read kernel modules +ProtectKernelModules=true + +# Service cannot alter kernel tunables (/proc + /sys) +ProtectKernelTunables=true + +# Service may execute system calls only with native ABI +SystemCallArchitectures=native + +# Limit set of capabilities +CapabilityBoundingSet= + +# Service process does not receive ambient capabilities +AmbientCapabilities= + +# Service has no access to other software's temporary files +PrivateTmp=true + +# Service has no access to hardware devices +PrivateDevices=true + +# Service has no access to home directories +ProtectHome=true + +# Service has strict read-only access to the OS file hierarchy +ProtectSystem=strict + +# Limit write access +ReadWritePaths=/run/ +ReadWritePaths=/var/log/ngcp/ + +# Service cannot change ABI personality +LockPersonality=true + +# Turn off acquisition of new privileges system-wide +NoNewPrivileges=true + +# Service has own user namespace, only root, nobody, and the uid/gid under which the service is running are mapped +PrivateUsers=true + +# Service user cannot leave SysV IPC objects around +# NOTE: service runs as root, so option does not matter +RemoveIPC=true + +# Restrict access to the various process namespace types the Linux kernel provides +RestrictNamespaces=true + +# Service may not acquire realtime scheduling +RestrictRealtime=true + +# Files created by service are accessible only by service's own user by default +UMask=0077 + +# NOTE: Service needs access to the host's network, to e.g. access redis DB +PrivateNetwork=false + +# Control access to specific device nodes by the executed processes +DevicePolicy=strict +DeviceAllow=/dev/null rw + +# Block all IP address ranges +# NOTE: allow access from localhost +IPAddressAllow=localhost +IPAddressDeny=any + +# Maximum number of bytes of memory that may be locked into RAM +LimitMEMLOCK=0 + +# Restrict system calls that are allowed to be executed +SystemCallFilter=@system-service +SystemCallFilter=~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap memfd_create mincore mlock mlockall personality + [Install] WantedBy=multi-user.target Alias=mediator.service