TT#76552 Harden ngcp-panel service

ngcp-panel service state BEFORE this change:

| $ sudo systemd-analyze security ngcp-panel | tail -1
| → Overall exposure level for ngcp-panel.service: 9.2 UNSAFE 😨

ngcp-panel service state AFTER this change:

| $ sudo SYSTEMD_COLORS=0 PAGER= COLUMNS=100 unbuffer systemd-analyze security ngcp-panel | grep -v '✓'
|   NAME                                         DESCRIPTION                                  EXPOSURE
| ✗ PrivateNetwork=                              Service has access to the host's network          0.5
| ✗ RestrictAddressFamilies=~AF_(INET|INET6)     Service may allocate Internet sockets             0.3
| ✗ DeviceAllow=                                 Service has a device ACL with some special …      0.1
| ✗ IPAddressDeny=                               Service does not define an IP address allow…      0.2
| ✗ PrivateUsers=                                Service has access to other users                 0.2
| ✗ SystemCallFilter=~@privileged                System call allow list defined for service,…      0.2
| ✗ SystemCallFilter=~@resources                 System call allow list defined for service,…      0.2
| ✗ RootDirectory=/RootImage=                    Service runs within the host's root directo…      0.1
| ✗ RestrictAddressFamilies=~AF_UNIX             Service may allocate local sockets                0.1
|
| → Overall exposure level for ngcp-panel.service: 1.5 OK 🙂

As of systemd v247.3-7.

Change-Id: Id1218abdbe8e9ef27285b4aa4d25972b7646da11

debian/ngcp-panel.service

@@ -16,5 +16,109 @@ RuntimeDirectoryPreserve=yes
 PIDFile=/run/fastcgi/ngcp-panel.pid
 ExecStart=/usr/share/ngcp-panel/ngcp_panel_fastcgi.pl --listen /run/fastcgi/ngcp-panel.sock --pidfile /run/fastcgi/ngcp-panel.pid --nproc $NPROC
 
+# Service cannot create writable executable memory mappings that are writable and executable at the same time
+MemoryDenyWriteExecute=true
+
+# Files + directories not directly associated are made invisible in the /proc/ file system
+ProcSubset=pid
+
+# Writes to the hardware clock or system clock will be denied
+ProtectClock=true
+
+# Service cannot modify the control group file system (via /sys/fs/cgroup)
+ProtectControlGroups=true
+
+# Service has no access to home directories
+ProtectHome=true
+
+# Set up new UTS namespace for the executed processes + changing hostname or domainname is prevented
+ProtectHostname=true
+
+# Service cannot load or read kernel modules
+ProtectKernelModules=true
+
+# Service cannot alter kernel tunables (/proc + /sys)
+ProtectKernelTunables=true
+
+# Service has strict read-only access to the OS file hierarchy
+ProtectSystem=strict
+
+# Access to the kernel log ring buffer will be denied
+ProtectKernelLogs=true
+
+# Processes owned by other users are hidden from /proc/
+ProtectProc=invisible
+
+# Service may execute system calls only with native ABI
+SystemCallArchitectures=native
+
+# Limit set of capabilities
+CapabilityBoundingSet=
+
+# Service process does not receive ambient capabilities
+AmbientCapabilities=
+
+# Service has no access to other software's temporary files
+PrivateTmp=true
+
+# Service has no access to hardware devices
+PrivateDevices=true
+
+# Limit write access
+# NOTE: we need r/w access to ngcp-panel/Catalyst tmp folder
+ReadWritePaths=/ngcp-data/tmp/www-data/
+# NOTE: we need r/w access to /ngcp-data/spool/faxserver for sending fax
+ReadWritePaths=-/ngcp-data/spool/faxserver
+
+# Service cannot change ABI personality
+LockPersonality=true
+
+# Turn off acquisition of new privileges system-wide
+NoNewPrivileges=true
+
+# Service has own user namespace, only root, nobody, and the uid/gid under which the service is running are mapped
+# NOTE: we can't have our own user namespace, as we need proper permissions e.g. to /ngcp-data/spool/faxserver
+PrivateUsers=false
+
+# Service user cannot leave SysV IPC objects around
+# NOTE: service runs as root, so option does not matter
+RemoveIPC=true
+
+# Restrict service to allocation of local, ipv4 + ipv6 sockets
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# Restrict access to the various process namespace types the Linux kernel provides
+RestrictNamespaces=true
+
+# Service may not acquire realtime scheduling
+RestrictRealtime=true
+
+# Attempts to set SUID or SGID bits on files or directories will be denied
+RestrictSUIDSGID=true
+
+# Files created by service are accessible only by service's own user by default
+UMask=0077
+
+# NOTE: Service needs access to the host's network
+PrivateNetwork=false
+
+# Control access to specific device nodes by the executed processes
+DevicePolicy=closed
+
+# NOTE: we need network access to e.g. redis server
+IPAddressAllow=any
+
+# Maximum number of bytes of memory that may be locked into RAM
+LimitMEMLOCK=0
+
+# Restrict system calls that are allowed to be executed
+# NOTE: @system-service => reasonable set of system calls used by common system services
+SystemCallFilter=@system-service
+# NOTE: return with ENOSYS instead of terminating the process immediately
+SystemCallErrorNumber=ENOSYS
+
+# All system calls except the listed ones will be logged
+SystemCallLog=~@system-service seccomp
+
 [Install]
 WantedBy=multi-user.target