Sory was AFK for a few days. On Fri, Jan 13, 2023 at 02:05:52PM +0300, Andrei Borzenkov wrote:
On Fri, Jan 13, 2023 at 1:26 PM Wonko Pfux <42@wonko.de> wrote: ...
I have commented in bsc#1181400 the report that is referenced in the
Each package has different requirements, so each package really needs its own post-hardening bug report.
change that broke tinc. I have also created https://build.opensuse.org/request/show/1058030
Personally I prefer explicit DevicePolicy=closed for documentation purposes.
To get tinc working again.
BUT
While trying to figure out what a secure config should be I stumbled across DevicePolicy not doing what is described in the systemd docs.
As far as I can tell, DevicePolicy=closed should provide a similar level of protection as PrivateDevices but using an eBPF filter to deny access to visible device nodes. So you may consider
DevicePolicy=closed
The systemd docs state DevicePolicy=closed gives you: "access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom."
DeviceAllow=/dev/net/tun
That is only mentioned in combination with DevicePolicy=auto: "allows access to all devices if no explicit DeviceAllow= is present. This is the default. "
What it tries to say is that if there is at least one DeviceAllow, only these devices are accessible. What it forgets to mention, that it *also* makes standard devices accessible. I.e. it is equivalent (really, just look at source code) to
DevicePolicy=closed DeviceAllow=/dev/net/tun
I will implement this.
which is far better by making it obvious.
I went through a couble of permutations to test this:
Replaced ExecStart to be able to see what is visible in /dev
ExecStart=bash -c 'find /dev -maxdepth 1 -printf " %%P" ;/usr/sbin/tincd -n %i -D'
I am not sure what the point is. DevicePolicy does not hide device nodes, it restricts access to them. So whatever policy you use, you will see exactly the same /dev content. PrivateDevices is really a big hammer to completely hide /dev content.
That is where I was confused: I thought that /dev would be empty but for the defined files. I failed to understand that its done through eBPF. I am getting old...
With the current Package this show that /dev contains: stderr stdout stdin fd core tty urandom random full zero null log hugepages mqueue shm char ptmx pts No net/tun
i-PrivateDevices=true +DeviceAllow=/dev/net/tun
/dev fully populated inc /dev/net/tun
------
-PrivateDevices=true +DevicePolicy=closed
/dev fully populated inc /dev/net/tun
------
-PrivateDevices=true +DevicePolicy=closed +DeviceAllow=/dev/net/tun
/dev fully populated inc /dev/net/tun
------
-PrivateDevices=true +DevicePolicy=auto +DeviceAllow=/dev/net/tun
/dev fully populated inc /dev/net/tun
------
-PrivateDevices=true +DevicePolicy=strict
Failed to set up standard input: Operation not permitted
Of course. DevicePolicy=strict means that only devices explicitly allowed by DeviceAllow are accessible. The /dev content still remains the same.