I've recently become aware of systemd's credentials feature[1]. In a
nutshell, the intent is to reduce privilege in units by systemd itself
copying the credentials (crypto materials, passwords, though in practice
it could be anything) and placing it in /run/credentials, with access
managed by namespacing. This is intended to eliminate the need for the
daemon in the unit directly accessing the data. My concern is the
possibility of inadvertently leaking credentials or abuse. i.e. putting in
LoadCredential=foobar:/etc/shadow
This illustrative, as systemd can't read shadow if it's confined, but
you could replace shadow with a private key or any other highly
confidential data systemd needs to access. The common response to my
concern is systemd units should be protected at high integrity; only
root can modify them, etc. However, I think we can do better to reduce
the possibility of errors.
I've discussed this with one of the systemd maintainers, and I'm
proposing this change:
1. pid1 forks (to pidN) to run the unit, as usual.
2. pidN does security_compute_create() using the current domain and the
label of the unit to get a new domain.
3. pidN does setcon() to the new domain.
4. pidN runs the unit as per usual (including the credentials stuff)
Then we'd need to add something like this to the policy:
allow init_t httpd_initrc_t:process dyntransition;
type_transition init_t httpd_unit_t:process httpd_initrc_t;
I have not yet prototyped this, but based on my discussion with the
systemd maintainers, this should be doable. I believe the added benefit
is we can decompose initrc_t's privilege and maybe even reduce init_t's
privilege.
What are your thoughts?
[1] https://systemd.io/CREDENTIALS/
--
Chris