<div dir="ltr"><div>Hello Krish!</div><div> </div><div>Above all, thank you for your ideas and your enthusiasm. </div><div>I don't know why you cannot create a fork. Creating an account at fd.o's Gitlab instance was already quite demanding in the past, but after series of hacker/miner attacks, maybe they made it even harder. Anyway, you can download a ZIP file of the repo any time and unpack it in your own git directory. </div><div>Nonetheless, can you please send a plain diff? I don't know whether some options in your proposal are just shuffled, but I recognize some and recall that some of those are already covered by some options already used in current HEAD. By this time, polkit's security analysis should result below 0.9 SAFE, which is nice.</div><div> </div><div>Thanks again and I'm looking forward to your reply.</div><div>Jan</div><div> </div></div> <div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 16, 2023 at 5:23 PM Krish Jain <<a href="mailto:kjain7@u.rochester.edu">kjain7@u.rochester.edu</a>> wrote: </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi, Jan. I hope you're doing well. I'm an intern collaborating with the Flatcar team, and I've been looking into ways to harden polkit. However, I currently don't have permission to fork the polkit repository to make a merge request. It seems that many public GitLab instances have implemented such restrictions to prevent spam or abuse. I was hoping to propose some additional hardening options (refer to the details below or visit <a href="https://cpaste.org/?5273ced15344a895#Ef8YGQr39kLYNGe6QdTbAzRdajDrZnPt4N7rSSkFBC92" target="_blank">https://cpaste.org/?5273ced15344a895#Ef8YGQr39kLYNGe6QdTbAzRdajDrZnPt4N7rSSkFBC92</a>) and have them upstreamed to polkit. This would help reduce exposure, as indicated by the security analysis performed by systemd-analyze. I would greatly appreciate any feedback on the following options and the possibility of getting them incorporated into the upstream repository. Thank you! Best regards, Krish Jain LinkedIn: <a href="https://www.linkedin.com/in/krishjain02/" target="_blank">https://www.linkedin.com/in/krishjain02/</a> </div><div> </div><div><pre style="color:rgb(0,0,0);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><pre style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial">[Unit] Description=Authorization Manager Documentation=man:polkit(8) [Service] Type=dbus BusName=org.freedesktop.PolicyKit1 ExecStart=/usr/lib/polkit-1/polkitd --no-debug # Network Sandboxing PrivateNetwork=yes RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=~AF_INET AF_INET6 AF_NETLINK AF_PACKET IPAccounting=yes # IPAddressAllow=any # IPAddressDeny= service needs access to all IPs # File System Sandboxing ProtectHome=yes ProtectSystem=strict ProtectProc=ptraceable # ReadWritePaths= PrivateTmp=yes # User seperation # PrivateUsers= service runs as root # DynamicUser= service runs as root User=@polkitd_user@ Group=@polkitd_user@ # Device sandboxing PrivateDevices=yes # DeviceAllow=/dev/exampledevice # DevicePolicy=strict # Kernel ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectHostname=yes ProtectClock=yes # Other hardening UMask=077 AmbientCapabilities=CAP_BPF CAP_PERFMON CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_DAC_READ_SEARCH CapabilityBoundingSet=~CAP_SYS_RAWIO CapabilityBoundingSet=~CAP_SYS_PTRACE CapabilityBoundingSet=~CAP_DAC_* CAP_FOWNER CAP_IPC_OWNER CapabilityBoundingSet=~CAP_NET_ADMIN CapabilityBoundingSet=~CAP_KILL CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE CapabilityBoundingSet=~CAP_SYS_BOOT CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE CapabilityBoundingSet=~CAP_SYS_CHROOT CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CapabilityBoundingSet=~CAP_LEASE CapabilityBoundingSet=~CAP_SYS_PACCT CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG CapabilityBoundingSet=~CAP_SYS_ADMIN # CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP CapabilityBoundingSet=~CAP_NET_RAW CapabilityBoundingSet=~CAP_IPC_LOCK NoNewPrivileges=yes ProtectControlGroups=yes RestrictNamespaces=yes LockPersonality=yes MemoryDenyWriteExecute=yes RestrictRealtime=yes RestrictSUIDSGID=yes IPAddressDeny=any LimitMEMLOCK=0 # RemoveIPC= service runs as root # System calls SystemCallFilter=@system-service @resources SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @clock @swap @reboot @module @privileged SystemCallFilter=@system-service @resources @privileged SystemCallFilter=~@debug @mount @cpu-emulation @obsolete @clock @swap @reboot @module SystemCallArchitectures=native</pre></pre></div></div> </blockquote></div>