[v2,1/2] paccache.service.in: Harden unit

Message ID 20210709110106.lli35ditcnz75psl@gmail.com
State Accepted
Headers show
Series [v2,1/2] paccache.service.in: Harden unit | expand

Commit Message

Frederik “Freso” S. Olesen July 9, 2021, 11:01 a.m. UTC
Adds a number of sandboxing and other hardening options to the
paccache.service file.

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
---
 src/paccache.service.in | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

Comments

Daniel M. Capella July 28, 2021, 12:24 a.m. UTC | #1
Pushed, thank you!

On 7/9/21 7:01 AM, Frederik “Freso” S. Olesen via pacman-contrib wrote:
> Adds a number of sandboxing and other hardening options to the
> paccache.service file.
>
> Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
> ---
>   src/paccache.service.in | 27 +++++++++++++++++++++++++++
>   1 file changed, 27 insertions(+)
>
> diff --git a/src/paccache.service.in b/src/paccache.service.in
> index cd28e67..927574f 100644
> --- a/src/paccache.service.in
> +++ b/src/paccache.service.in
> @@ -4,3 +4,30 @@ Description=Remove unused cached package files
>   [Service]
>   Type=oneshot
>   ExecStart=@bindir@/paccache -r
> +# Sandboxing and other hardening
> +ProtectProc=invisible
> +ProcSubset=pid
> +NoNewPrivileges=yes
> +ProtectSystem=full
> +ProtectHome=yes
> +PrivateTmp=yes
> +PrivateDevices=yes
> +PrivateNetwork=yes
> +PrivateIPC=yes
> +PrivateUsers=yes
> +ProtectHostname=yes
> +ProtectClock=yes
> +ProtectKernelTunables=yes
> +ProtectKernelModules=yes
> +ProtectKernelLogs=yes
> +ProtectControlGroups=yes
> +RestrictAddressFamilies=AF_UNIX
> +RestrictNamespaces=yes
> +LockPersonality=yes
> +MemoryDenyWriteExecute=yes
> +RestrictRealtime=yes
> +RestrictSUIDSGID=yes
> +RemoveIPC=yes
> +PrivateMounts=yes
> +SystemCallFilter=@file-system
> +SystemCallArchitectures=native

Patch

diff --git a/src/paccache.service.in b/src/paccache.service.in
index cd28e67..927574f 100644
--- a/src/paccache.service.in
+++ b/src/paccache.service.in
@@ -4,3 +4,30 @@  Description=Remove unused cached package files
 [Service]
 Type=oneshot
 ExecStart=@bindir@/paccache -r
+# Sandboxing and other hardening
+ProtectProc=invisible
+ProcSubset=pid
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateIPC=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+PrivateMounts=yes
+SystemCallFilter=@file-system
+SystemCallArchitectures=native