Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

hardened and made more reliable the monitor.service file #359

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

BrainDamage
Copy link

since the service depends on bluetooth daemon, start after it ( After= )
since the daemon fails to work properly without bluetooth, don't start it if blueetooth fails ( Requires= )
shut down the service when bluetooth fails ( BindsTo= )

since the daemon isn't necessary for networking, don't install it network target

set restart mode on-failure so that if the user accidentally sets a one-shot setting manually in the service, it doesn't keep re-launching it

don't fork the process in the background so that systemd can track the pids of all the programs spawned and kill them if they hang to ensure a proper shutdown

split re-writable file with environment to a separate optional file $service_config_path which equals to "/etc/default/monitor", the daemon file shouldn't re-write it's own service file for both security and bug prevention

since the daemon runs with ultimate priviledges and it's networked, removing the unnecessary ones can prevent system disruption in the case of a bug or a flyby scripted attack:

LockPersonality ensures kenel personality(2) is enforced
NoNewPrivileges fixes process privileges as the one set in the srvice
PrivateMounts makes any mount point created by the service private to the service itself
ProtectClock prevents the system clock to be altered by the service
ProtectControlGroups prevents the system to access the kernel control groups ( and override the security settings )
ProteectKernelLogs prevents the access to the kernel logs
ProtectKernelModules prevents load/unload kernel modules; bluetooth modules will be loadeed as necessary anyway from the bluetooth.service
ProtectKernelTunables denies accceess to the kernel runtime config
ProtectHostname prevents hostname changes from the service
ProtectHome prevents writing files to the home dir of the user
ProtectProc=invisible makes the service be able to see only its own process tree and no further
ProtectSystem=strict makes the whole filesystem read-only except for the paths specified in ReadWritePaths
RestrictNamespaces denies altering the process namespace, useful to prevent bypassing protections
RestrictAddressFamilies limits the types of sockets that can be read/written by the procss
RestrictSUIDSGID prevents setting SUID and GID bits on files
RestrictRealtime prevents acquiring realtime scheduling priority
SystemCallArchitectures ensures that only native binaries are used ( eg only 64 bit in a mixed 32-64 bit environment; 32 bit ISA is often full of security pitholes )
SystemCallFilter=~@mount denies access to the mount functionality to prevent bypassing most of the security settings

ReadWritePaths=/sys/class/bluetooth allows raw access to the bluetoot devices
ReadWritePaths=$base_directory allows the service to overwrite itself / its config ( dangerous, but fixing it is not in the scope of this patch )
ReadWritePaths=$service_config_path allows the sevice to overwrite the execution args of the daemon

daemon-reload is not necessary to reload the environment file, so it's only executed for service installation

all the features used are documented in systemd.exec(5) systemd.unit(5) systemd.service(5)

since the service depends on bluetooth daemon, start after it ( After= )
since the daemon fails to work properly without bluetooth, don't start it if blueetooth fails ( Requires= )
shut down the service when bluetooth fails ( BindsTo= )

since the daemon isn't necessary for networking, don't install it network target

set restart mode on-failure so that if the user accidentally sets a one-shot setting manually in the service, it doesn't keep re-launching it

don't fork the process in the background so that systemd can track the pids of all the programs spawned and kill them if they hang to ensure a proper shutdown


split re-writable file with environment to a separate optional file $service_config_path which equals to "/etc/default/monitor", the daemon file shouldn't re-write it's own service file for both security and bug prevention

since the daemon runs with ultimate priviledges and it's networked, removing the unnecessary ones can prevent system disruption in the case of a bug or a flyby scripted attack:

LockPersonality ensures kenel personality(2) is enforced
NoNewPrivileges fixes process privileges as the one set in the srvice
PrivateMounts makes any mount point created by the service private to the service itself
ProtectClock prevents the system clock to be altered by the service
ProtectControlGroups prevents the system to access the kernel control groups ( and override the security settings )
ProteectKernelLogs prevents the access to the kernel logs
ProtectKernelModules prevents load/unload kernel modules; bluetooth modules will be loadeed as necessary anyway from the bluetooth.service
ProtectKernelTunables denies accceess to the kernel runtime config
ProtectHostname prevents hostname changes from the service
ProtectHome prevents writing files to the home dir of the user
ProtectProc=invisible makes the service be able to see only its own process tree and no further
ProtectSystem=strict makes the whole filesystem read-only except for the paths specified in ReadWritePaths
RestrictNamespaces denies altering the process namespace, useful to prevent bypassing protections
RestrictAddressFamilies limits the types of sockets that can be read/written by the procss
RestrictSUIDSGID prevents setting SUID and GID bits on files
RestrictRealtime prevents acquiring realtime scheduling priority
SystemCallArchitectures ensures that only native binaries are used ( eg only 64 bit in a mixed 32-64 bit environment; 32 bit ISA is often full of security pitholes )
SystemCallFilter=~@mount denies access to the mount functionality to prevent bypassing most of the security settings

ReadWritePaths=/sys/class/bluetooth allows raw access to the bluetoot devices
ReadWritePaths=$base_directory allows the service to overwrite itself / its config ( dangerous, but fixing it is not in the scope of this patch )
ReadWritePaths=$service_config_path allows the sevice to overwrite the execution args of the daemon

daemon-reload is not necessary to reload the environment file, so it's only executed for service installation

all the features used are documented in systemd.exec(5) systemd.unit(5) systemd.service(5)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant