cloud-setup: more sandboxing in service file

Note that some of those sandboxing options may require relatively recent systemd. In that case, to run against older systemd, you will need to patch the service file. I don't think there is a way around that, and limiting outselves to only the oldest supported option is harmful for users who run recent systemd. See-also: https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
2024-10-01 13:55:36 +00:00 · 2023-11-22 11:11:15 +01:00 · 2023-11-22 11:11:15 +01:00 · 6fb4af7300
parent b4340fd9a2
commit 6fb4af7300
2 changed files with 10 additions and 1 deletions
--- a/1
+++ b/1
@ -22,6 +22,7 @@ Overview of changes since NetworkManager-1.44
 * Limit number of exported IP addresses/routes on D-Bus to 100 to reduce
  performance cost. Also, D-Bus updates for addresses/routes are now rate
  limited to 3 per second.
+* cloud-setup: enable more sandboxing options in systemd service file.

 =============================================
 NetworkManager-1.44
--- a/src/nm-cloud-setup/nm-cloud-setup.service.in
+++ b/src/nm-cloud-setup/nm-cloud-setup.service.in
@ -22,22 +22,30 @@ ExecStart=@libexecdir@/nm-cloud-setup
 #Environment=NM_CLOUD_SETUP_ALIYUN=yes

 CapabilityBoundingSet=
+KeyringMode=private
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
 ProtectKernelLogs=yes
 ProtectKernelModules=yes
 ProtectKernelTunables=yes
+ProtectProc=invisible
 ProtectSystem=strict
-RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 RestrictNamespaces=yes
 RestrictRealtime=yes
 RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+
+DevicePolicy=closed
+PrivateNetwork=no
+RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
 SystemCallFilter=@system-service

 [Install]