systemd: restrict permissions #778
Merged
Commits on Apr 8, 2024
-
packaging/systemd: restrict permissions
Forwarder does not need that many permissions, we can restrict it to minimum. CAP_NET_BIND_SERVICE can be used to allow this user to bind to a port < 1024 if desired. The work is based on wireproxy's systemd configuration[1]. Also I found systemd service hardening doc[2] helpful. DynamicUser/Strict system protection didn't work as package installs forwarder binary at /usr/bin. [1] pufferffish/wireproxy#103. [2] https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
-
local/linux: run container in privileged mode
Running systemd service in a container is not very common. We use it for testing, however it has its disadvantages. Some container runtimes prohibit creating UTS namespaces. That leads to a warning: "forwarder.service: ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup." Giving a container privileged mode fixes this issue.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.