Package: wpasupplicant Version: 2:2.10-11 Severity: normal Tags: patch If you run "systemd-analyze security wpa_supplicant.service" you will see it has an exposure score of 9.6, if you add the following settings then it goes down to 3.2. This has been tested in Debian/Testing and Ubuntu 22.04 and found to work well. The only difference between Debian and Ubuntu in this regard is that the Debian will SEGV if lchown() is denied so the @privileged set of system calls can't be used in SystemCallFilter=~ . I know you might not want to apply this when we are in the process of a release freeze, but I would appreciate any feedback you can offer on this now.
[Service] # needs: # to write /proc/sys/net/ipv4/conf/wifi/drop_unicast_in_l2_multicast etc # access to /dev/rfkill # PrivateUsers and ProtectClock breaks things # rfkill needs CAP_BLOCK_SUSPEND # AF_UNIX for dbus CapabilityBoundingSet=CAP_NET_ADMIN CAP_BLOCK_SUSPEND CAP_NET_RAW RestrictNamespaces=true SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @resources @swap @module @obsolete ProtectSystem=true ProtectProc=invisible SystemCallArchitectures=native DeviceAllow=/dev/rfkill DevicePolicy=closed UMask=077 NoNewPrivileges=true ProtectKernelLogs=true ProtectControlGroups=true ProtectKernelModules=true ProtectSystem=true ProtectHome=true PrivateTmp=true MemoryDenyWriteExecute=true ProtectHostname=true LockPersonality=true RestrictRealtime=true RestrictSUIDSGID=true -- System Information: Debian Release: bookworm/sid APT prefers testing-debug APT policy: (500, 'testing-debug'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-3-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Enforcing - Policy name: default Versions of packages wpasupplicant depends on: ii adduser 3.131 ii libc6 2.36-8 ii libdbus-1-3 1.14.6-1 ii libnl-3-200 3.7.0-0.2+b1 ii libnl-genl-3-200 3.7.0-0.2+b1 ii libnl-route-3-200 3.7.0-0.2+b1 ii libpcsclite1 1.9.9-1 ii libreadline8 8.2-1.3 ii libssl3 3.0.8-1 wpasupplicant recommends no packages. Versions of packages wpasupplicant suggests: pn libengine-pkcs11-openssl <none> pn wpagui <none> -- no debconf information