[systemd-devel] [PATCH] timesyncd: tighten unit file

Topi Miettinen toiwoton at gmail.com
Sun Jan 25 02:23:02 PST 2015 

There's no need for CAP_CHOWN, CAP_DAC_OVERRIDE or CAP_FOWNER.

No new privileges are needed, especially no setuid fixups are expected.

Device policy can be closed, timesyncd does not access any devices.

Timesyncd only needs write access to /var/lib/systemd/clock. There's no
need to access /boot nor most API filesystems.

Install a system call filter, generated with 'strace -c'.

Only one additional process is needed.

Mounts should not propagate back, so set the MountFlags to slave
(actually default since we use e.g. PrivateTmp).
---
 units/systemd-timesyncd.service.in | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in
index 39edafc..ef09f05 100644
--- a/units/systemd-timesyncd.service.in
+++ b/units/systemd-timesyncd.service.in
@@ -22,12 +22,21 @@ Type=notify
 Restart=always
 RestartSec=0
 ExecStart=@rootlibexecdir@/systemd-timesyncd
-CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER
+CapabilityBoundingSet=CAP_SYS_TIME CAP_SETUID CAP_SETGID CAP_SETPCAP
+NoNewPrivileges=true
+SecureBits=no-setuid-fixup no-setuid-fixup-locked
 PrivateTmp=yes
 PrivateDevices=yes
+DevicePolicy=closed
 ProtectSystem=full
 ProtectHome=yes
+InaccessibleDirectories=/dev/pts /dev/shm /dev/mqueue /dev/hugepages /boot /sys
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/lib/systemd/clock
 WatchdogSec=1min
+SystemCallFilter=recvfrom clock_gettime prctl read open close stat fstat poll lseek mmap mprotect munmap brk rt_sigaction rt_sigprocmask ioctl access madvise socket connect sendto sendmsg recvmsg bind getsockname socketpair setsockopt getsockopt clone fcntl umask getrlimit setgroups setresuid setresgid capget capset arch_prctl gettid futex set_tid_address epoll_wait epoll_ctl inotify_add_watch set_robust_list utimensat timerfd_create timerfd_settime signalfd4 epoll_create1 inotify_init1 clock_adjtime sendmmsg
+LimitNPROC=2
+MountFlags=slave
 
 [Install]
 WantedBy=sysinit.target
-- 
2.1.4

More information about the systemd-devel mailing list