[systemd-devel] PrivateNetwork and libusb

Lennart Poettering lennart at poettering.net
Wed Dec 14 11:36:01 UTC 2016


On Wed, 14.12.16 10:55, Richard Hughes (hughsient at gmail.com) wrote:

> On 14 December 2016 at 09:32, Reindl Harald <h.reindl at thelounge.net> wrote:
> > RestrictAddressFamilies=AF_NETLINK
> 
> Great, that was the pointer I needed, thanks. I'm currently setting
> this in the service file:
> 
> NoNewPrivileges=yes
> PrivateTmp=yes
> PrivateUsers=yes
> ProtectControlGroups=yes
> ProtectHome=yes
> ProtectKernelModules=yes
> RestrictAddressFamilies=AF_NETLINK AF_UNIX
> 
> Are there other important settings I've missed? fwupd does access the
> hardware and write the odd file to the filesystem so there didn't seem
> any other super useful flags. Thanks.

Well, depends on the systemd version you are running.

I'd also set if you can:

RestrictRealtime=yes
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources
ProtectKernelTunables=yes
ProtectSystem=full
PrivateDevices=yes
CapabilityBoundingSet=...

Lennart

-- 
Lennart Poettering, Red Hat


More information about the systemd-devel mailing list