Hi Ludovic, On Fedora, CAP_DAC_OVERRIDE is not granted to bind, because it might be dangerous feature. CAP_DAC_READ_SEARCH is a little bit safer, but still might be unnecessary. It should be possible to run even without it with careful permission configuration of keys and config files.
I think CAP_SYS_RESOURCE is required to automatically adjust maximum number of file descriptors/sockets from configuration. But I am not 100% about that. I recently rejected request to change from Type=forking. Has anyone got a patch for bind to support Type=notice systemd service? I would like to get rid of pid file handling, but Type=simple will not work for me. I am not sure if PrivateDevices=yes can be used by default on Fedora. We package also named-pkcs11 version, which should be able to access hardware tokens and accelerators. I doubt it would work with that. I want them to still work if they worked until now. Normal variant might use that, chroot already has its own empty /dev. There is some nice page about this on Fedora wiki: https://fedoraproject.org/wiki/Packaging:Systemd#Fields_to_avoid Dne 15.1.2018 v 18:58 Ludovic Gasc napsal(a): > Hi, > > (Not sure it's the right mailing-list to discuss about this, tell me if > it's another one) > > For your information, systemd offers several options to increase the > security of each daemon based on cgroups, like Docker or rkt. > For > example: > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Capabilities > > This approach permits to keep the classical Linux distribution daemons > with simple maintenance actions via apt or yum + the same container > security as a Docker image. > > A discussion has already started on Debian tracker: > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863841 > > Based on this proposal, I made a new service override with extra > security (see below). > > But now, I need your help for two parameters of systemd: > 1. The list of minimal capabilities needed for bind to run > correctly: http://man7.org/linux/man-pages/man7/capabilities.7.html > 2. The list of minimal > SystemCallFilter: > https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter= > > Where I could find the lists ? > > If you have other ideas to increase the security, I'm interested in: > My objective is to propose this service file to be integrated in Debian > and Fedora. > > Thanks for your feedback. > > The service override: > > [Service] > CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID > CAP_SETUID > SystemCallFilter=~@mount @debug > NoNewPrivileges=true > PrivateDevices=true > PrivateTmp=true > ProtectHome=true > ProtectSystem=strict > ProtectKernelModules=true > ProtectKernelTunables=true > ProtectControlGroups=true > InaccessiblePaths=/home > InaccessiblePaths=/opt > InaccessiblePaths=/root > ReadWritePaths=/run/named > ReadWritePaths=/var/cache/bind > ReadWritePaths=/var/lib/bind > > -- > Ludovic Gasc (GMLudo) > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Petr Menšík Software Engineer Red Hat, http://www.redhat.com/ email: pemen...@redhat.com PGP: 65C6C973 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
