Control: tags -1 patch Dear dererk,
Here is a patch that implements the suggested change. Note that ProtectSystem=full was replaced by more restrictive settings: > # Makes the system read-only (in the daemon's namespace) > # and prevent access to the logs > ReadOnlyDirectories=/ > ReadWriteDirectories=/var/run > ReadWriteDirectories=/var/lib/openntpd > InaccessibleDirectories=/var/log The configuration change suggested here was tested on stretch, like the original one. For some reason that I haven't elucidated yet, it fails on jessie, but this is likely not an issue (it wouldn't be sent to stable anyhow). Best, nicoo
From 1ebb3d50a35d2163b22a6e514ccb8d4687cbfead Mon Sep 17 00:00:00 2001 From: Nicolas Braud-Santoni <[email protected]> Date: Sun, 8 May 2016 19:13:45 +0200 Subject: [PATCH] Use systemd sandboxing --- debian/changelog | 6 ++++++ debian/openntpd.service | 26 ++++++++++++++++++++++++++ 2 files changed, 32 insertions(+) diff --git a/debian/changelog b/debian/changelog index 6bae66c..7b760c0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +openntpd (1:5.7p4-4) unstable; urgency=medium + + * Use systemd's sandboxing (Closes: 816456) + + -- + openntpd (1:5.7p4-3) unstable; urgency=medium * Add support for GNU/kFreeBSD arc4random (Closes: 815302). diff --git a/debian/openntpd.service b/debian/openntpd.service index 311e0c6..9289fc0 100644 --- a/debian/openntpd.service +++ b/debian/openntpd.service @@ -3,6 +3,7 @@ Description=OpenNTPd Network Time Protocol Conflicts=systemd-timesyncd.service After=network.target + [Service] Type=forking EnvironmentFile=-/etc/default/openntpd @@ -10,5 +11,30 @@ ExecStart=/usr/sbin/ntpd $DAEMON_OPTS Restart=on-failure RuntimeDirectory=openntpd +## Sandboxing features. See systemd.exec(5) +# The service gets its own instance of {/var,}/tmp +PrivateTmp=true + +# Only exposes API pseudo-devices (/dev/null, zero, random) +PrivateDevices=true + +# Makes the system read-only (in the daemon's namespace) +# and prevent access to the logs +ReadOnlyDirectories=/ +ReadWriteDirectories=/var/run +ReadWriteDirectories=/var/lib/openntpd +InaccessibleDirectories=/var/log + +# Prevents access to /home, /root and /run/user +ProtectHome=true + +# Bounds the daemon's privileges. +# See capabilities(7) and +# /usr/share/doc/linux-doc-*/Documentation/prctl/no_new_privs.txt.gz +CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE CAP_SYSLOG +CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT +NoNewPrivileges=true + + [Install] WantedBy=multi-user.target -- 2.8.1
signature.asc
Description: PGP signature
