On Thu, Apr 04, 2019 at 02:22:59PM +0300, Topi Miettinen wrote: > Subject: [PATCH] Harden systemd service > > Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx> I have not seen any comments on this so far and since I'm not very familiar with systemd, I'm not sure what exactly this does and how this work with various different distributions. How has this been tested? Is it clear that these capabilities do not result in regressions? It would be helpful if the commit message were to address such details. > diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in > @@ -4,9 +4,28 @@ Before=network.target > Wants=network.target > > [Service] > -Type=dbus Why is this Type=dbus line being moved? > BusName=fi.w1.wpa_supplicant1 > +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW > ExecStart=@BINDIR@/wpa_supplicant -u > +IPAddressDeny=any Does that prevent TCP or UDP communication in some manner? If so, why? Wouldn't that break WPS ER? (Or a more recent addition, DPP Controller?) > +LimitMEMLOCK=0 > +LockPersonality=yes > +MemoryDenyWriteExecute=yes > +NoNewPrivileges=yes > +PrivateTmp=yes > +ProtectControlGroups=yes > +ProtectHome=yes > +ProtectKernelModules=yes > +ProtectKernelTunables=yes > +ProtectSystem=strict > +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_PACKET Would this break use of AF_ALG? Or AF_BRIDGE? Or AF_LINK? > +RestrictNamespaces=yes > +RestrictRealtime=yes > +SystemCallArchitectures=native > +SystemCallFilter=@system-service > +TasksMax=1 > +Type=dbus > +UMask=0077 Everything else here looks like an addition, but the Type line is removed and added, i.e., moved, which makes this patch more complex than (hopefully) needed. -- Jouni Malinen PGP id EFC895FA _______________________________________________ Hostap mailing list Hostap@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/hostap
