Package: knockd Version: 0.7-1 Severity: normal Tags: patch User: ubuntu-de...@lists.ubuntu.com Usertags: origin-ubuntu eoan ubuntu-patch
Dear Maintainer, any knockd configuration rules that call ufw fail because any ufw changes always update the ufw conf files in /etc/ufw/, but the knockd systemd service is started with ProtectSystem=full. knockd's systemd service restricts its capabilities, so it's unable to load modules needed for changing iptables rules, e.g. ip6_tables module In Ubuntu, the attached patch was applied to achieve the following: * d/knockd.service: - Change ProtectSystem to 'true', to allow using ufw in knockd rules (LP: #1823051) - Add CAP_SYS_MODULE so knockd can load iptables modules if needed (LP: #1825974) Thanks for considering the patch. -- System Information: Debian Release: buster/sid APT prefers disco-updates APT policy: (500, 'disco-updates'), (500, 'disco-security'), (500, 'disco') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.0.0-8-generic (SMP w/24 CPU cores) Kernel taint flags: TAINT_WARN Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
diff -Nru knockd-0.7/debian/control knockd-0.7/debian/control --- knockd-0.7/debian/control 2016-11-17 04:54:44.000000000 -0500 +++ knockd-0.7/debian/control 2019-04-23 06:31:56.000000000 -0400 @@ -1,8 +1,7 @@ Source: knockd Section: net Priority: optional -Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com> -XSBC-Original-Maintainer: Leo Antunes <cost...@debian.org> +Maintainer: Leo Antunes <cost...@debian.org> Build-Depends: debhelper (>= 9.20160709~), autotools-dev, libpcap0.8-dev Standards-Version: 3.9.8 Homepage: http://www.zeroflux.org/projects/knock diff -Nru knockd-0.7/debian/knockd.service knockd-0.7/debian/knockd.service --- knockd-0.7/debian/knockd.service 2019-03-10 11:13:50.000000000 -0400 +++ knockd-0.7/debian/knockd.service 2019-04-23 06:31:56.000000000 -0400 @@ -9,8 +9,8 @@ ExecReload=/bin/kill -HUP $MAINPID KillMode=mixed SuccessExitStatus=0 2 15 -ProtectSystem=full -CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN +ProtectSystem=true +CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_MODULE [Install] WantedBy=multi-user.target