Proposal for Further Hardening Polkit's Systemd Service [Merge Request]

Fri Jun 16 16:00:19 UTC 2023

Hello Krish!

Above all, thank you for your ideas and your enthusiasm.
I don't know why you cannot create a fork. Creating an account at fd.o's
Gitlab instance was already quite demanding in the past, but after series
of hacker/miner attacks, maybe they made it even harder. Anyway, you can
download a ZIP file of the repo any time and unpack it in your own git
directory.
Nonetheless, can you please send a plain diff? I don't know whether some
options in your proposal are just shuffled, but I recognize some and recall
that some of those are already covered by some options already used in
current HEAD. By this time, polkit's security analysis should result below
0.9 SAFE, which is nice.

Thanks again and I'm looking forward to your reply.
Jan

On Fri, Jun 16, 2023 at 5:23 PM Krish Jain <kjain7 at u.rochester.edu> wrote:

> Hi, Jan.
>
> I hope you're doing well.
>
> I'm an intern collaborating with the Flatcar team, and I've been looking
> into ways to harden polkit. However, I currently don't have permission to
> fork the polkit repository to make a merge request. It seems that many
> public GitLab instances have implemented such restrictions to prevent spam
> or abuse.
>
> I was hoping to propose some additional hardening options (refer to the
> details below or visit
> https://cpaste.org/?5273ced15344a895#Ef8YGQr39kLYNGe6QdTbAzRdajDrZnPt4N7rSSkFBC92)
> and have them upstreamed to polkit. This would help reduce exposure, as
> indicated by the security analysis performed by systemd-analyze. I would
> greatly appreciate any feedback on the following options and the
> possibility of getting them incorporated into the upstream repository.
> Thank you!
>
> Best regards,
> Krish Jain
> LinkedIn: https://www.linkedin.com/in/krishjain02/
>
> [Unit]Description=Authorization ManagerDocumentation=man:polkit(8)[Service]Type=dbusBusName=org.freedesktop.PolicyKit1ExecStart=/usr/lib/polkit-1/polkitd --no-debug# Network Sandboxing PrivateNetwork=yesRestrictAddressFamilies=AF_UNIXRestrictAddressFamilies=~AF_INET AF_INET6 AF_NETLINK AF_PACKETIPAccounting=yes# IPAddressAllow=any# IPAddressDeny= service needs access to all IPs# File System SandboxingProtectHome=yesProtectSystem=strictProtectProc=ptraceable# ReadWritePaths=PrivateTmp=yes# User seperation# PrivateUsers= service runs as root# DynamicUser= service runs as rootUser=@polkitd_user at Group=@polkitd_user@# Device sandboxingPrivateDevices=yes# DeviceAllow=/dev/exampledevice# DevicePolicy=strict# Kernel ProtectKernelTunables=yesProtectKernelModules=yesProtectKernelLogs=yesProtectHostname=yesProtectClock=yes# Other hardeningUMask=077AmbientCapabilities=CAP_BPF CAP_PERFMONCapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_DAC_READ_SEARCHCapabilityBoundingSet=~CAP_SYS_RAWIOCapabilityBoundingSet=~CAP_SYS_PTRACECapabilityBoundingSet=~CAP_DAC_* CAP_FOWNER CAP_IPC_OWNERCapabilityBoundingSet=~CAP_NET_ADMINCapabilityBoundingSet=~CAP_KILLCapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCASTCapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCECapabilityBoundingSet=~CAP_SYS_BOOTCapabilityBoundingSet=~CAP_LINUX_IMMUTABLECapabilityBoundingSet=~CAP_SYS_CHROOTCapabilityBoundingSet=~CAP_BLOCK_SUSPENDCapabilityBoundingSet=~CAP_LEASECapabilityBoundingSet=~CAP_SYS_PACCTCapabilityBoundingSet=~CAP_SYS_TTY_CONFIGCapabilityBoundingSet=~CAP_SYS_ADMIN# CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAPCapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAPCapabilityBoundingSet=~CAP_NET_RAWCapabilityBoundingSet=~CAP_IPC_LOCKNoNewPrivileges=yesProtectControlGroups=yesRestrictNamespaces=yesLockPersonality=yesMemoryDenyWriteExecute=yesRestrictRealtime=yesRestrictSUIDSGID=yesIPAddressDeny=anyLimitMEMLOCK=0# RemoveIPC= service runs as root# System calls SystemCallFilter=@system-service @resourcesSystemCallFilter=~@debug @mount @cpu-emulation @obsolete @clock @swap @reboot @module @privilegedSystemCallFilter=@system-service @resources @privilegedSystemCallFilter=~@debug @mount @cpu-emulation @obsolete @clock @swap @reboot @moduleSystemCallArchitectures=native
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/polkit-devel/attachments/20230616/0f28f7fd/attachment.htm>