Hi everyone,

I noticed that there are many systemd units which are shipped by various packages which could be hardened, some further than they are currently and some that could use some hardening in general.

For those who are unaware, systemd units support many options which can be used to restrict privileges of the processes run by the service. Some of these options include things like making specified paths inaccessible or read-only, setting the no_new_privs flag, protecting kernel sysctls, preventing the loading
of kernel modules, applying a seccomp filter to restrict syscalls, and more. I frequently reference systemd.exec(5)[1] and this page[2] for reference.

Many of these options are fairly easy to apply from a user perspective - a user only needs to harden something like miniflux.service by overriding/settings via 'systemctl edit miniflux.service' (or manually editing /etc/systemd/system/miniflux.service.d/override.conf). But, I want to propose an
initiative to set some of these options by default for systemd units shipped in ::gentoo.

Care must be taken though, as some of these options may end up breaking some functionality that could be expected by users. An example of this may be if the package maintainer made the root filesystem read-only for a service except for its private /var/lib, but a user was using an entirely different directory for the service's read-writable data. Something like this may need to be communicated via post-installation messages or simply left out by default, depending on the circumstances. On the other hand, there are many options like restricting syscalls via SystemCallFilter=@system-service or restricting privilege escalation via NoNewPrivileges=true that I think are generally safe to
apply, but each service is different and needs to be handled and tested accordingly.

As for getting units updated, I think a good place to start would be to create a
new tracker bug for identifying packages providing systemd units that could be improved in this regard, and each bug filed could include recommendations for some of the more common options like ProtectSystem=, ProtectHome=, ProtectDevices=, and others.

What do you think?

[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2] https://docs.arbitrary.ch/security/systemd.html

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEP+u3AkfbrORB/inCFt7v5V9Ft54FAmMDxqJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDNG RUJCNzAyNDdEQkFDRTQ0MUZFMjlDMjE2REVFRkU1NUY0NUI3OUUACgkQFt7v5V9F t546jg/9GVF2v3qOdLIzhMaU2X+nsgB1QHB4ywT1wjz9bL0jYdu5BjZL8eU/fVsx +pXiFdWhZ0s8xVl9lXHZE3sA4WqVW6Tqu2UVBiqlDIUiumRU8jV68ENY9VJVj47D WS41LVQXUss4f8E53kRKQP6vPzxX2tfMTrS7sqV3pjWdNy19ip5v6+BNtJ2voBef aIflhyPlXP+Pg0WgnEjG348+Rc3H4wHl5532M0l6CfRSCxwP0D8eab18kh5HkSlR bZj2NW6gTsn6LQ3gTwoc30PYKCh10rNVrzb/nafLXp8lGTJjuBSLN4MBtdzjlKGY TcILx+KS6SF1EwM5dupCv9Fd9EhHG8K7HVb8yr+yDm27dhy+tO4HWX4YEgYCeoUW VMIWH/OflJfW7kTlYKsTCCNF9jngHB0eXJDnIFMtybfgEs1y4usXPQqbeO/JbMJj lRV3d6L/ad2obpxYoXP6XrprUF4GqbdD31yIKnkzZV2BXLDes4RtB/wz40J7V/NL LeTxkSaaVp7IfHB8ogd3L6WMmf2/oINKND3ExdsD7eH7mFzmxUpfhr/eqnVyPruY v8EaQucazwCtRIUsE03dOVczzYz5A7n62v7+kUHtU4Bo3QUtq1d6U4ea+k0M+BCp SXj4UJqm+ufb/ABZ/6qz0awOcmQ3fQbllLUJj5E64/thnhvYAsk=
=a+M6
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)