<div dir="ltr"><div>Hello Krish!</div><div><br></div><div>Above all, thank you for your ideas and your enthusiasm.  <br></div><div>I don't know why you cannot create a fork. Creating an account at fd.o's Gitlab instance was already quite demanding in the past, but after series of hacker/miner attacks, maybe they made it even harder. Anyway, you can download a ZIP file of the repo any time and unpack it in your own git directory.  <br></div><div>Nonetheless, can you please send a plain diff? I don't know whether some options in your proposal are just shuffled, but I recognize some and recall that some of those are already covered by some options already used in current HEAD. By this time, polkit's security analysis should result below 0.9 SAFE, which is nice.</div><div><br></div><div>Thanks again and I'm looking forward to your reply.</div><div>Jan</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Jun 16, 2023 at 5:23 PM Krish Jain <<a href="mailto:kjain7@u.rochester.edu">kjain7@u.rochester.edu</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi, Jan.<br><br>I hope you're doing well.<br><br>I'm an intern collaborating with the Flatcar team, and I've been looking into ways to harden polkit. However, I currently don't have permission to fork the polkit repository to make a merge request. It seems that many public GitLab instances have implemented such restrictions to prevent spam or abuse.<br><br>I was hoping to propose some additional hardening options (refer to the details below or visit <a href="https://cpaste.org/?5273ced15344a895#Ef8YGQr39kLYNGe6QdTbAzRdajDrZnPt4N7rSSkFBC92" target="_blank">https://cpaste.org/?5273ced15344a895#Ef8YGQr39kLYNGe6QdTbAzRdajDrZnPt4N7rSSkFBC92</a>) and have them upstreamed to polkit. This would help reduce exposure, as indicated by the security analysis performed by systemd-analyze. I would greatly appreciate any feedback on the following options and the possibility of getting them incorporated into the upstream repository. Thank you!<br><br>Best regards,<br>Krish Jain<br>LinkedIn: <a href="https://www.linkedin.com/in/krishjain02/" target="_blank">https://www.linkedin.com/in/krishjain02/</a><br></div><div><br></div><div><pre style="color:rgb(0,0,0);background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><pre style="background-image:initial;background-position:initial;background-size:initial;background-repeat:initial;background-origin:initial;background-clip:initial"><span><span style="color:rgb(166,87,0)">[</span><span style="color:rgb(95,80,53)">Unit</span><span style="color:rgb(166,87,0)">]</span></span>
<span><span style="color:rgb(39,71,150)">Description</span><span style="color:rgb(128,128,48)">=</span>Authorization Manager</span>
<span><span style="color:rgb(39,71,150)">Documentation</span><span style="color:rgb(128,128,48)">=</span>man<span style="color:rgb(128,128,48)">:</span>polkit<span style="color:rgb(128,128,48)">(</span><span style="color:rgb(0,140,0)">8</span><span style="color:rgb(128,128,48)">)</span></span>
<span></span>
<span><span style="color:rgb(166,87,0)">[</span><span style="color:rgb(95,80,53)">Service</span><span style="color:rgb(166,87,0)">]</span></span>
<span><span style="color:rgb(39,71,150)">Type</span><span style="color:rgb(128,128,48)">=</span>dbus</span>
<span><span style="color:rgb(39,71,150)">BusName</span><span style="color:rgb(128,128,48)">=</span>org<span style="color:rgb(128,128,48)">.</span>freedesktop<span style="color:rgb(128,128,48)">.</span>PolicyKit1</span>
<span><span style="color:rgb(39,71,150)">ExecStart</span><span style="color:rgb(128,128,48)">=</span><span style="color:rgb(128,128,48)">/</span>usr<span style="color:rgb(128,128,48)">/</span>lib<span style="color:rgb(128,128,48)">/</span>polkit<span style="color:rgb(128,128,48)">-</span><span style="color:rgb(0,140,0)">1</span><span style="color:rgb(128,128,48)">/</span>polkitd <span style="color:rgb(121,121,151)">-</span><span style="color:rgb(0,121,151)">-no-debug</span></span>
<span></span>
<span></span>
<span># Network Sandboxing</span>
<span> </span>
<span><span style="color:rgb(39,71,150)">PrivateNetwork</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">RestrictAddressFamilies</span><span style="color:rgb(128,128,48)">=</span>AF_UNIX</span>
<span><span style="color:rgb(39,71,150)">RestrictAddressFamilies</span><span style="color:rgb(128,128,48)">=</span>~AF_INET AF_INET6 AF_NETLINK AF_PACKET</span>
<span><span style="color:rgb(39,71,150)">IPAccounting</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)"># IPAddressAllow</span><span style="color:rgb(128,128,48)">=</span>any</span>
<span><span style="color:rgb(39,71,150)"># IPAddressDeny</span><span style="color:rgb(128,128,48)">=</span> service needs access to all IPs</span>
<span></span>
<span># File System Sandboxing</span>
<span></span>
<span><span style="color:rgb(39,71,150)">ProtectHome</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">ProtectSystem</span><span style="color:rgb(128,128,48)">=</span>strict</span>
<span><span style="color:rgb(39,71,150)">ProtectProc</span><span style="color:rgb(128,128,48)">=</span>ptraceable</span>
<span><span style="color:rgb(39,71,150)"># ReadWritePaths</span><span style="color:rgb(128,128,48)">=</span></span>
<span><span style="color:rgb(39,71,150)">PrivateTmp</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span></span>
<span></span>
<span># User seperation</span>
<span></span>
<span><span style="color:rgb(39,71,150)"># PrivateUsers</span><span style="color:rgb(128,128,48)">=</span> service runs as root</span>
<span><span style="color:rgb(39,71,150)"># DynamicUser</span><span style="color:rgb(128,128,48)">=</span> service runs as root</span>
<span><span style="color:rgb(39,71,150)">User</span><span style="color:rgb(128,128,48)">=</span>@polkitd_user@</span>
<span><span style="color:rgb(39,71,150)">Group</span><span style="color:rgb(128,128,48)">=</span>@polkitd_user@</span>
<span></span>
<span># Device sandboxing</span>
<span></span>
<span><span style="color:rgb(39,71,150)">PrivateDevices</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)"># DeviceAllow</span><span style="color:rgb(128,128,48)">=</span><span style="color:rgb(128,128,48)">/</span>dev<span style="color:rgb(128,128,48)">/</span>exampledevice</span>
<span><span style="color:rgb(39,71,150)"># DevicePolicy</span><span style="color:rgb(128,128,48)">=</span>strict</span>
<span></span>
<span># Kernel </span>
<span></span>
<span><span style="color:rgb(39,71,150)">ProtectKernelTunables</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">ProtectKernelModules</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">ProtectKernelLogs</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">ProtectHostname</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">ProtectClock</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span></span>
<span></span>
<span># Other hardening</span>
<span></span>
<span><span style="color:rgb(39,71,150)">UMask</span><span style="color:rgb(128,128,48)">=</span><span style="color:rgb(0,140,0)">077</span></span>
<span><span style="color:rgb(39,71,150)">AmbientCapabilities</span><span style="color:rgb(128,128,48)">=</span>CAP_BPF CAP_PERFMON</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_DAC_READ_SEARCH</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_SYS_RAWIO</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_SYS_PTRACE</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_DAC_* CAP_FOWNER CAP_IPC_OWNER</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_NET_ADMIN</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_KILL</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_SYS_NICE CAP_SYS_RESOURCE</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_SYS_BOOT</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_LINUX_IMMUTABLE</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_SYS_CHROOT</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_BLOCK_SUSPEND</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_LEASE</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_SYS_PACCT</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_SYS_TTY_CONFIG</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_SYS_ADMIN</span>
<span><span style="color:rgb(39,71,150)"># CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_SETUID CAP_SETGID CAP_SETPCAP</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_CHOWN CAP_FSETID CAP_SETFCAP</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_NET_RAW</span>
<span><span style="color:rgb(39,71,150)">CapabilityBoundingSet</span><span style="color:rgb(128,128,48)">=</span>~CAP_IPC_LOCK</span>
<span><span style="color:rgb(39,71,150)">NoNewPrivileges</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">ProtectControlGroups</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">RestrictNamespaces</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">LockPersonality</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">MemoryDenyWriteExecute</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">RestrictRealtime</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">RestrictSUIDSGID</span><span style="color:rgb(128,128,48)">=</span>yes</span>
<span><span style="color:rgb(39,71,150)">IPAddressDeny</span><span style="color:rgb(128,128,48)">=</span>any</span>
<span><span style="color:rgb(39,71,150)">LimitMEMLOCK</span><span style="color:rgb(128,128,48)">=</span><span style="color:rgb(0,140,0)">0</span></span>
<span></span>
<span><span style="color:rgb(39,71,150)"># RemoveIPC</span><span style="color:rgb(128,128,48)">=</span> service runs as root</span>
<span></span>
<span># System calls </span>
<span></span>
<span><span style="color:rgb(39,71,150)">SystemCallFilter</span><span style="color:rgb(128,128,48)">=</span>@system<span style="color:rgb(128,128,48)">-</span>service @resources</span>
<span><span style="color:rgb(39,71,150)">SystemCallFilter</span><span style="color:rgb(128,128,48)">=</span>~@debug @mount @cpu<span style="color:rgb(128,128,48)">-</span>emulation @obsolete @clock @swap @reboot @module @privileged</span>
<span><span style="color:rgb(39,71,150)">SystemCallFilter</span><span style="color:rgb(128,128,48)">=</span>@system<span style="color:rgb(128,128,48)">-</span>service @resources @privileged</span>
<span><span style="color:rgb(39,71,150)">SystemCallFilter</span><span style="color:rgb(128,128,48)">=</span>~@debug @mount @cpu<span style="color:rgb(128,128,48)">-</span>emulation @obsolete @clock @swap @reboot @module</span>
<span><span style="color:rgb(39,71,150)">SystemCallArchitectures</span><span style="color:rgb(128,128,48)">=</span>native</span></pre></pre></div></div>
</blockquote></div>