[systemd-devel] SystemCallFilter= and systemd-analyze security
Michael Ströder
michael at stroeder.com
Tue Aug 2 17:45:31 UTC 2022
HI!
I have the same service unit with SystemCallFilter= installed on various
Linux distros running in VMs but systemd-analyze security shows
inconsistent results.
TL;DR: Newer systemd versions do not account SystemCallFilter=~ ...
leading to a significantly higher exposure level.
Is there something wrong with my service unit when used with newer systemd?
I guess slightly differing exposure levels are expected for different
systemd versions but 1.5 vs. 3.0?
I've attached the service unit and the output of systemd-analyze
security on four different VMs.
The different systems are:
ae-dir-deb-p1: Debian testing (bookworm) with systemd 251.2-7
ae-dir-deb-p2: Debian stable (bullseye) with systemd 247.3-7
ae-dir-suse-p1: openSUSE Tumbleweed testing with systemd
251.2+suse.21.ge9fc337d97
ae-dir-suse-p2: openSUSE Leap 15.4 with systemd 249.11+suse.129.g17d488c53a
Any hint is highly appreciated.
Thanks in advance.
Ciao, Michael.
-------------- next part --------------
# /etc/systemd/system/ae-slapd.service
#-----------------------------------------------------------------------
# initiate: systemctl enable ae-slapd.service
# start: systemctl start ae-slapd.service
# get status: systemctl status ae-slapd.service
#
# Ansible managed: ansible-example-site/main
#-----------------------------------------------------------------------
[Unit]
Description=AE-DIR OpenLDAP server
Requires=local-fs.target network.target
After=local-fs.target network.target
Before=nss-user-lookup.target aehostd.service
Wants=nss-user-lookup.target
[Service]
Type=simple
Environment=LD_PRELOAD=/usr/lib/x86_64-linux-gnu/libjemalloc.so.2
Environment=SASL_CONF_PATH=/opt/ae-dir/etc/openldap/sasl2.conf
Environment=LDAPNOINIT=1
PIDFile=/run/ae-dir/slapd/slapd.pid
ExecStart=/opt/openldap-ms/libexec/slapd -d none -n ae-slapd -l LOCAL4 -s 6 -f /opt/ae-dir/etc/openldap/slapd.conf -h 'ldapi://%%2Frun%%2Fae-dir%%2Fslapd%%2Fldapi/????x-mod=0777 ldap://*:389 ldaps://*:636' -o slp=off
WorkingDirectory=/run/ae-dir/slapd
ReadWritePaths=/run/ae-dir/slapd /opt/ae-dir/slapd-db/accesslog /opt/ae-dir/slapd-db/um /opt/ae-dir/slapd-db/session
User=ae-dir-slapd
Group=ae-dir-slapd
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
LimitNOFILE=128
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
# various hardening options from ansible var aedir_systemd_hardening
StandardInput=null
UMask=0077
PrivateUsers=no
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectProc=invisible
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
NoNewPrivileges=yes
MountFlags=private
SystemCallArchitectures=native
LockPersonality=yes
KeyringMode=private
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
DevicePolicy=closed
PrivateIPC=yes
RemoveIPC=yes
MemoryDenyWriteExecute=yes
SystemCallFilter=~ @clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete splice @resources @chown @privileged @pkey @setuid @timer
SystemCallLog=@clock @cpu-emulation @debug @keyring @module @mount @raw-io @reboot @swap @obsolete splice @resources @chown @privileged @pkey @setuid @timer
AppArmorProfile=ae-slapd
[Install]
WantedBy=multi-user.target
-------------- next part --------------
NAME DESCRIPTION EXPOSURE
✗ SystemCallFilter=~@swap System call deny list defined for service, and @swap is not included (e.g. swapoff is allowed) 0.2
✗ SystemCallFilter=~@resources System call deny list defined for service, and @resources is not included (e.g. ioprio_set is allowed) 0.2
✗ SystemCallFilter=~@reboot System call deny list defined for service, and @reboot is not included (e.g. kexec_file_load is allowed) 0.2
✗ SystemCallFilter=~@raw-io System call deny list defined for service, and @raw-io is not included (e.g. ioperm is allowed) 0.2
✗ SystemCallFilter=~@privileged System call deny list defined for service, and @privileged is not included (e.g. chown is allowed) 0.2
✗ SystemCallFilter=~@obsolete System call deny list defined for service, and @obsolete is not included (e.g. _sysctl is allowed) 0.1
✗ SystemCallFilter=~@mount System call deny list defined for service, and @mount is not included (e.g. chroot is allowed) 0.2
✗ SystemCallFilter=~@module System call deny list defined for service, and @module is not included (e.g. delete_module is allowed) 0.2
✗ SystemCallFilter=~@debug System call deny list defined for service, and @debug is not included (e.g. lookup_dcookie is allowed) 0.2
✗ SystemCallFilter=~@cpu-emulation System call deny list defined for service, and @cpu-emulation is not included (e.g. modify_ldt is allowed) 0.1
✗ SystemCallFilter=~@clock System call deny list defined for service, and @clock is not included (e.g. adjtimex is allowed) 0.2
✓ RemoveIPC= Service user cannot leave SysV IPC objects around
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✓ User=/DynamicUser= Service runs under a static non-root user identity
✓ RestrictRealtime= Service realtime scheduling access is restricted
✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock
✓ NoNewPrivileges= Service processes cannot acquire new privileges
✗ AmbientCapabilities= Service process receives ambient capabilities 0.1
✓ SystemCallArchitectures= Service may execute system calls only with native ABI
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy
✓ ProtectProc= Service has restricted access to process tree (/proc hidepid=)
✓ SupplementaryGroups= Service has no supplementary groups
✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters
✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges
✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges
✓ PrivateTmp= Service has no access to other software's temporary files
✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging
✓ ProtectHome= Service has no access to home directories
✓ PrivateDevices= Service has no access to hardware devices
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ PrivateUsers= Service has access to other users 0.2
✗ DeviceAllow= Service has a device ACL with some special devices: char-rtc:r 0.1
✓ KeyringMode= Service doesn't share key material with other services
✓ Delegate= Service does not maintain its own delegated control group subtree
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✓ NotifyAccess= Service child processes cannot alter service state
✓ ProtectClock= Service cannot write to the hardware clock or system clock
✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct()
✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes
✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks
✓ ProtectControlGroups= Service cannot modify the control group file system
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable
✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM
✓ ProtectKernelModules= Service cannot load or read kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup()
✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot()
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot()
✓ PrivateMounts= Service cannot install system mounts
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks
✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings
✓ RestrictNamespaces=~user Service cannot create user namespaces
✓ RestrictNamespaces=~pid Service cannot create process namespaces
✓ RestrictNamespaces=~net Service cannot create network namespaces
✓ RestrictNamespaces=~uts Service cannot create hostname namespaces
✓ RestrictNamespaces=~mnt Service cannot create file system namespaces
✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases
✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes
✓ RestrictNamespaces=~cgroup Service cannot create cgroup namespaces
✓ RestrictNamespaces=~ipc Service cannot create IPC namespaces
✓ ProtectHostname= Service cannot change system host/domainname
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities
✓ LockPersonality= Service cannot change ABI personality
✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …)
✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets
✓ RestrictAddressFamilies=~AF_NETLINK Service cannot allocate netlink sockets
✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets
✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC
✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted
✓ UMask= Files created by service are accessible only by service's own user by default
→ Overall exposure level for ae-slapd.service: 3.0 OK 🙂
-------------- next part --------------
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✓ User=/DynamicUser= Service runs under a static non-root user identity
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot create user namespaces
✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks
✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges
✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access
✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✓ KeyringMode= Service doesn't share key material with other services
✓ NoNewPrivileges= Service processes cannot acquire new privileges
✓ NotifyAccess= Service child processes cannot alter service state
✓ PrivateDevices= Service has no access to hardware devices
✓ PrivateMounts= Service cannot install system mounts
✓ PrivateTmp= Service has no access to other software's temporary files
✗ PrivateUsers= Service has access to other users 0.2
✓ ProtectClock= Service cannot write to the hardware clock or system clock
✓ ProtectControlGroups= Service cannot modify the control group file system
✓ ProtectHome= Service has no access to home directories
✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer
✓ ProtectKernelModules= Service cannot load or read kernel modules
✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …)
✓ ProtectProc= Service has restricted access to process tree (/proc hidepid=)
✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy
✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets
✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted
✓ SystemCallArchitectures= Service may execute system calls only with native ABI
✓ SystemCallFilter=~@clock System call deny list defined for service, and @clock is included
✓ SystemCallFilter=~@debug System call deny list defined for service, and @debug is included
✓ SystemCallFilter=~@module System call deny list defined for service, and @module is included
✓ SystemCallFilter=~@mount System call deny list defined for service, and @mount is included
✓ SystemCallFilter=~@raw-io System call deny list defined for service, and @raw-io is included
✓ SystemCallFilter=~@reboot System call deny list defined for service, and @reboot is included
✓ SystemCallFilter=~@swap System call deny list defined for service, and @swap is included
✓ SystemCallFilter=~@privileged System call deny list defined for service, and @privileged is included
✓ SystemCallFilter=~@resources System call deny list defined for service, and @resources is included
✗ AmbientCapabilities= Service process receives ambient capabilities 0.1
✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access
✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes
✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes
✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1
✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters
✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot create cgroup namespaces
✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot create IPC namespaces
✓ RestrictNamespaces=~CLONE_NEWNET Service cannot create network namespaces
✓ RestrictNamespaces=~CLONE_NEWNS Service cannot create file system namespaces
✓ RestrictNamespaces=~CLONE_NEWPID Service cannot create process namespaces
✓ RestrictRealtime= Service realtime scheduling access is restricted
✓ SystemCallFilter=~@cpu-emulation System call deny list defined for service, and @cpu-emulation is included
✓ SystemCallFilter=~@obsolete System call deny list defined for service, and @obsolete is included
✓ RestrictAddressFamilies=~AF_NETLINK Service cannot allocate netlink sockets
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✓ SupplementaryGroups= Service has no supplementary groups
✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC
✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot()
✓ Delegate= Service does not maintain its own delegated control group subtree
✓ LockPersonality= Service cannot change ABI personality
✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings
✓ RemoveIPC= Service user cannot leave SysV IPC objects around
✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot create hostname namespaces
✓ UMask= Files created by service are accessible only by service's own user by default
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable
✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot()
✓ ProtectHostname= Service cannot change system host/domainname
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks
✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases
✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct()
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup()
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
→ Overall exposure level for ae-slapd.service: 1.4 OK 🙂
-------------- next part --------------
NAME DESCRIPTION EXPOSURE
✗ SystemCallFilter=~@swap System call deny list defined for service, and @swap is not included (e.g. swapoff is allowed) 0.2
✗ SystemCallFilter=~@resources System call deny list defined for service, and @resources is not included (e.g. ioprio_set is allowed) 0.2
✗ SystemCallFilter=~@reboot System call deny list defined for service, and @reboot is not included (e.g. kexec_file_load is allowed) 0.2
✗ SystemCallFilter=~@raw-io System call deny list defined for service, and @raw-io is not included (e.g. ioperm is allowed) 0.2
✗ SystemCallFilter=~@privileged System call deny list defined for service, and @privileged is not included (e.g. chown is allowed) 0.2
✗ SystemCallFilter=~@obsolete System call deny list defined for service, and @obsolete is not included (e.g. _sysctl is allowed) 0.1
✗ SystemCallFilter=~@mount System call deny list defined for service, and @mount is not included (e.g. chroot is allowed) 0.2
✗ SystemCallFilter=~@module System call deny list defined for service, and @module is not included (e.g. delete_module is allowed) 0.2
✗ SystemCallFilter=~@debug System call deny list defined for service, and @debug is not included (e.g. lookup_dcookie is allowed) 0.2
✗ SystemCallFilter=~@cpu-emulation System call deny list defined for service, and @cpu-emulation is not included (e.g. modify_ldt is allowed) 0.1
✗ SystemCallFilter=~@clock System call deny list defined for service, and @clock is not included (e.g. adjtimex is allowed) 0.2
✓ RemoveIPC= Service user cannot leave SysV IPC objects around
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✓ User=/DynamicUser= Service runs under a static non-root user identity
✓ RestrictRealtime= Service realtime scheduling access is restricted
✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock
✓ NoNewPrivileges= Service processes cannot acquire new privileges
✗ AmbientCapabilities= Service process receives ambient capabilities 0.1
✓ SystemCallArchitectures= Service may execute system calls only with native ABI
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy
✓ ProtectProc= Service has restricted access to process tree (/proc hidepid=)
✓ SupplementaryGroups= Service has no supplementary groups
✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters
✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges
✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges
✓ PrivateTmp= Service has no access to other software's temporary files
✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging
✓ ProtectHome= Service has no access to home directories
✓ PrivateDevices= Service has no access to hardware devices
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1
✗ PrivateNetwork= Service has access to the host's network 0.5
✗ PrivateUsers= Service has access to other users 0.2
✗ DeviceAllow= Service has a device ACL with some special devices: char-rtc:r 0.1
✓ KeyringMode= Service doesn't share key material with other services
✓ Delegate= Service does not maintain its own delegated control group subtree
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✓ NotifyAccess= Service child processes cannot alter service state
✓ ProtectClock= Service cannot write to the hardware clock or system clock
✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct()
✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes
✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks
✓ ProtectControlGroups= Service cannot modify the control group file system
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable
✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM
✓ ProtectKernelModules= Service cannot load or read kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup()
✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot()
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot()
✓ PrivateMounts= Service cannot install system mounts
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks
✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings
✓ RestrictNamespaces=~user Service cannot create user namespaces
✓ RestrictNamespaces=~pid Service cannot create process namespaces
✓ RestrictNamespaces=~net Service cannot create network namespaces
✓ RestrictNamespaces=~uts Service cannot create hostname namespaces
✓ RestrictNamespaces=~mnt Service cannot create file system namespaces
✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases
✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes
✓ RestrictNamespaces=~cgroup Service cannot create cgroup namespaces
✓ RestrictNamespaces=~ipc Service cannot create IPC namespaces
✓ ProtectHostname= Service cannot change system host/domainname
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities
✓ LockPersonality= Service cannot change ABI personality
✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …)
✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets
✓ RestrictAddressFamilies=~AF_NETLINK Service cannot allocate netlink sockets
✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets
✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC
✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted
✓ UMask= Files created by service are accessible only by service's own user by default
→ Overall exposure level for ae-slapd.service: 3.0 OK 🙂
-------------- next part --------------
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to the host's network 0.5
✓ User=/DynamicUser= Service runs under a static non-root user identity
✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities
✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges
✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3
✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot create user namespaces
✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets
✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities
✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks
✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges
✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules
✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access
✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock
✗ DeviceAllow= Service has a device ACL with some special devices 0.1
✗ IPAddressDeny= Service does not define an IP address allow list 0.2
✓ KeyringMode= Service doesn't share key material with other services
✓ NoNewPrivileges= Service processes cannot acquire new privileges
✓ NotifyAccess= Service child processes cannot alter service state
✓ PrivateDevices= Service has no access to hardware devices
✓ PrivateMounts= Service cannot install system mounts
✓ PrivateTmp= Service has no access to other software's temporary files
✗ PrivateUsers= Service has access to other users 0.2
✓ ProtectClock= Service cannot write to the hardware clock or system clock
✓ ProtectControlGroups= Service cannot modify the control group file system
✓ ProtectHome= Service has no access to home directories
✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer
✓ ProtectKernelModules= Service cannot load or read kernel modules
✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …)
✓ ProtectProc= Service has restricted access to process tree (/proc hidepid=)
✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy
✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets
✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted
✓ SystemCallArchitectures= Service may execute system calls only with native ABI
✓ SystemCallFilter=~@clock System call deny list defined for service, and @clock is included
✓ SystemCallFilter=~@debug System call deny list defined for service, and @debug is included
✓ SystemCallFilter=~@module System call deny list defined for service, and @module is included
✓ SystemCallFilter=~@mount System call deny list defined for service, and @mount is included
✓ SystemCallFilter=~@raw-io System call deny list defined for service, and @raw-io is included
✓ SystemCallFilter=~@reboot System call deny list defined for service, and @reboot is included
✓ SystemCallFilter=~@swap System call deny list defined for service, and @swap is included
✓ SystemCallFilter=~@privileged System call deny list defined for service, and @privileged is included
✗ SystemCallFilter=~@resources System call deny list defined for service, and @resources is not included (e.g. ioprio_set is allowed) 0.2
✗ AmbientCapabilities= Service process receives ambient capabilities 0.1
✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access
✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to arbitrary processes
✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes
✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1
✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging
✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters
✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot create cgroup namespaces
✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot create IPC namespaces
✓ RestrictNamespaces=~CLONE_NEWNET Service cannot create network namespaces
✓ RestrictNamespaces=~CLONE_NEWNS Service cannot create file system namespaces
✓ RestrictNamespaces=~CLONE_NEWPID Service cannot create process namespaces
✓ RestrictRealtime= Service realtime scheduling access is restricted
✓ SystemCallFilter=~@cpu-emulation System call deny list defined for service, and @cpu-emulation is included
✓ SystemCallFilter=~@obsolete System call deny list defined for service, and @obsolete is included
✓ RestrictAddressFamilies=~AF_NETLINK Service cannot allocate netlink sockets
✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1
✓ SupplementaryGroups= Service has no supplementary groups
✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC
✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot()
✓ Delegate= Service does not maintain its own delegated control group subtree
✓ LockPersonality= Service cannot change ABI personality
✓ MemoryDenyWriteExecute= Service cannot create writable executable memory mappings
✓ RemoveIPC= Service user cannot leave SysV IPC objects around
✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot create hostname namespaces
✓ UMask= Files created by service are accessible only by service's own user by default
✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable
✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM
✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot()
✓ ProtectHostname= Service cannot change system host/domainname
✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks
✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases
✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct()
✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup()
✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1
✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1
→ Overall exposure level for ae-slapd.service: 1.5 OK 🙂
More information about the systemd-devel
mailing list