From 631c35af22e88b4a8ceab57e5e7f04791294a0dc Mon Sep 17 00:00:00 2001
From: Michael Prokop <mprokop@sipwise.com>
Date: Mon, 7 Jun 2021 17:09:34 +0200
Subject: [PATCH] TT#76552 Harden ngcp-rate-o-mat service
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ngcp-rate-o-mat service state BEFORE this change:

| $ sudo systemd-analyze security ngcp-rate-o-mat | tail -1
| → Overall exposure level for ngcp-rate-o-mat.service: 9.6 UNSAFE 😨

ngcp-rate-o-mat service state AFTER this change:

| $ sudo systemd-analyze security ngcp-rate-o-mat | grep -v '✓'
|   NAME                                       DESCRIPTION                                                          EXPOSURE
| ✗ PrivateNetwork=                            Service has access to the host's network                                  0.5
| ✗ User=/DynamicUser=                         Service runs as root user                                                 0.4
| ✗ RestrictAddressFamilies=~AF_(INET|INET6)   Service may allocate Internet sockets                                     0.3
| ✗ DeviceAllow=                               Service has a device ACL with some special devices                        0.1
| ✗ IPAddressDeny=                             Service does not define an IP address allow list                          0.2
| ✗ ProtectClock=                              Service may write to the hardware clock or system clock                   0.2
| ✗ ProtectKernelLogs=                         Service may read from or write to the kernel log ring buffer              0.2
| ✗ ProtectProc=                               Service has full access to process tree (/proc hidepid=)                  0.2
| ✗ RestrictSUIDSGID=                          Service may create SUID/SGID files                                        0.2
| ✗ RootDirectory=/RootImage=                  Service runs within the host's root directory                             0.1
|   SupplementaryGroups=                       Service runs as root, option does not matter
|   RemoveIPC=                                 Service runs as root, option does not apply
| ✗ ProtectHostname=                           Service may change system host/domainname                                 0.1
| ✗ RestrictAddressFamilies=~AF_UNIX           Service may allocate local sockets                                        0.1
| ✗ ProcSubset=                                Service has full access to non-process /proc files (/proc subset=)        0.1
|
| → Overall exposure level for ngcp-rate-o-mat.service: 2.1 OK 🙂

NOTE: state with systemd v247.3-5 on bullseye

Change-Id: Iace478d9c5762cd641a333c0ea7d1b77b919a10d
---
 debian/ngcp-rate-o-mat.service | 74 ++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)

diff --git a/debian/ngcp-rate-o-mat.service b/debian/ngcp-rate-o-mat.service
index abc3030..aabfde8 100644
--- a/debian/ngcp-rate-o-mat.service
+++ b/debian/ngcp-rate-o-mat.service
@@ -9,6 +9,80 @@ EnvironmentFile=-/etc/default/ngcp-rate-o-mat
 ExecStart=/usr/sbin/ngcp-rate-o-mat
 ExecReload=/bin/kill -HUP $MAINPID
 
+# Service cannot create writable executable memory mappings that are writable and executable at the same time
+MemoryDenyWriteExecute=true
+
+# Service cannot modify the control group file system (via /sys/fs/cgroup)
+ProtectControlGroups=true
+
+# Service cannot load or read kernel modules
+ProtectKernelModules=true
+
+# Service cannot alter kernel tunables (/proc + /sys)
+ProtectKernelTunables=true
+
+# Service may execute system calls only with native ABI
+SystemCallArchitectures=native
+
+# Limit set of capabilities
+CapabilityBoundingSet=
+
+# Service process does not receive ambient capabilities
+AmbientCapabilities=
+
+# Service has no access to other software's temporary files
+PrivateTmp=true
+
+# Service has no access to hardware devices
+PrivateDevices=true
+
+# Service has no access to home directories
+ProtectHome=true
+
+# Service has strict read-only access to the OS file hierarchy
+ProtectSystem=strict
+
+# Limit write access
+ReadWritePaths=/run/
+
+# Service cannot change ABI personality
+LockPersonality=true
+
+# Turn off acquisition of new privileges system-wide
+NoNewPrivileges=true
+
+# Service has own user namespace, only root, nobody, and the uid/gid under which the service is running are mapped
+PrivateUsers=true
+
+# Service user cannot leave SysV IPC objects around
+# NOTE: service runs as root, so option does not matter
+RemoveIPC=true
+
+# Restrict access to the various process namespace types the Linux kernel provides
+RestrictNamespaces=true
+
+# Service may not acquire realtime scheduling
+RestrictRealtime=true
+
+# Files created by service are accessible only by service's own user by default
+UMask=0077
+
+# NOTE: Service needs access to the host's network, to access DB
+PrivateNetwork=false
+
+# Control access to specific device nodes by the executed processes
+DevicePolicy=closed
+
+# Maximum number of bytes of memory that may be locked into RAM
+LimitMEMLOCK=0
+
+# Restrict service to allocation of local sockets and network sockets only
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+
+# Restrict system calls that are allowed to be executed
+SystemCallFilter=@system-service
+SystemCallFilter=~@chown @clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap
+
 [Install]
 WantedBy=multi-user.target
 Alias=rate-o-mat.service