On Thu, Jan 12, 2023 at 9:30 PM Wonko Pfux <42@wonko.de> wrote:
On Thu, Jan 12, 2023 at 07:55:07PM +0300, Andrei Borzenkov wrote:
On 12.01.2023 18:34, Wonko Pfux wrote:
On Thu, Jan 12, 2023 at 05:43:51PM +0300, Andrei Borzenkov wrote:
On Thu, Jan 12, 2023 at 5:28 PM Wonko Pfux <42@wonko.de> wrote:
Is it safe to set PrivateDevices=false
It is just as safe as it was before this change was introduced.
or is there another way?
You may try to add
DeviceAllow=/dev/net/tun
It seems PrivateDevices=true overrides DeviceAllow=/dev/net/tun.
Have you tried it?
yes
Unfortunately it seems my assumtion was wrong: /proc is fully visible to the process. Just as if there was no DeviceAllow=
I am not sure how /proc is related here, but yes, it seems that there is no way to create additional device nodes with PrivateDevices - you only get several "standard" ones. So you should open a bug report to remove PrivateDevices. As far as I can tell, DevicePolicy=closed should provide a similar level of protection as PrivateDevices but using an eBPF filter to deny access to visible device nodes. So you may consider DevicePolicy=closed DeviceAllow=/dev/net/tun
So both are nessesary?: PrivateDevices=false
It is necessary as a temporary workaround until package is fixed, yes.
DeviceAllow=/dev/net/tun
No, if you disable PrivateDevices it is not necessary (unless you add some other hardening directives like DevicePolicy)
The systemd Documentation does not state that DeviceAllow means all others are disallowed but: "When access to all physical devices should be disallowed, PrivateDevices= may be used instead"
In the doc for DevicePolicy, which is not set in the service file, it is said that the default (auto) "allows access to all devices if no explicit DeviceAllow= is present"
I have not found docs how ProtectSystem, which is set to full , affects DevicePolicy.
It should not.