Hello Krish! Above all, thank you for your ideas and your enthusiasm. I don't know why you cannot create a fork. Creating an account at fd.o's Gitlab instance was already quite demanding in the past, but after series of hacker/miner attacks, maybe they made it even harder. Anyway, you can download a ZIP file of the repo any time and unpack it in your own git directory. Nonetheless, can you please send a plain diff? I don't know whether some options in your proposal are just shuffled, but I recognize some and recall that some of those are already covered by some options already used in current HEAD. By this time, polkit's security analysis should result below 0.9 SAFE, which is nice.
Thanks again and I'm looking forward to your reply. Jan On Fri, Jun 16, 2023 at 5:23 PM Krish Jain <kja...@u.rochester.edu> wrote: > Hi, Jan. > > I hope you're doing well. > > I'm an intern collaborating with the Flatcar team, and I've been looking > into ways to harden polkit. However, I currently don't have permission to > fork the polkit repository to make a merge request. It seems that many > public GitLab instances have implemented such restrictions to prevent spam > or abuse. > > I was hoping to propose some additional hardening options (refer to the > details below or visit > https://cpaste.org/?5273ced15344a895#Ef8YGQr39kLYNGe6QdTbAzRdajDrZnPt4N7rSSkFBC92) > and have them upstreamed to polkit. This would help reduce exposure, as > indicated by the security analysis performed by systemd-analyze. I would > greatly appreciate any feedback on the following options and the > possibility of getting them incorporated into the upstream repository. > Thank you! > > Best regards, > Krish Jain > LinkedIn: https://www.linkedin.com/in/krishjain02/ > > [Unit]Description=Authorization > ManagerDocumentation=man:polkit(8)[Service]Type=dbusBusName=org.freedesktop.PolicyKit1ExecStart=/usr/lib/polkit-1/polkitd > --no-debug# Network Sandboxing > PrivateNetwork=yesRestrictAddressFamilies=AF_UNIXRestrictAddressFamilies=~AF_INET > AF_INET6 AF_NETLINK AF_PACKETIPAccounting=yes# IPAddressAllow=any# > IPAddressDeny= service needs access to all IPs# File System > SandboxingProtectHome=yesProtectSystem=strictProtectProc=ptraceable# > ReadWritePaths=PrivateTmp=yes# User seperation# PrivateUsers= service runs as > root# DynamicUser= service runs as > rootUser=@polkitd_user@Group=@polkitd_user@# Device > sandboxingPrivateDevices=yes# DeviceAllow=/dev/exampledevice# > DevicePolicy=strict# Kernel > ProtectKernelTunables=yesProtectKernelModules=yesProtectKernelLogs=yesProtectHostname=yesProtectClock=yes# > Other hardeningUMask=077AmbientCapabilities=CAP_BPF > CAP_PERFMONCapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ > CAP_DAC_READ_SEARCHCapabilityBoundingSet=~CAP_SYS_RAWIOCapabilityBoundingSet=~CAP_SYS_PTRACECapabilityBoundingSet=~CAP_DAC_* > CAP_FOWNER > CAP_IPC_OWNERCapabilityBoundingSet=~CAP_NET_ADMINCapabilityBoundingSet=~CAP_KILLCapabilityBoundingSet=~CAP_NET_BIND_SERVICE > CAP_NET_BROADCASTCapabilityBoundingSet=~CAP_SYS_NICE > CAP_SYS_RESOURCECapabilityBoundingSet=~CAP_SYS_BOOTCapabilityBoundingSet=~CAP_LINUX_IMMUTABLECapabilityBoundingSet=~CAP_SYS_CHROOTCapabilityBoundingSet=~CAP_BLOCK_SUSPENDCapabilityBoundingSet=~CAP_LEASECapabilityBoundingSet=~CAP_SYS_PACCTCapabilityBoundingSet=~CAP_SYS_TTY_CONFIGCapabilityBoundingSet=~CAP_SYS_ADMIN# > CapabilityBoundingSet=~CAP_SETUID CAP_SETGID > CAP_SETPCAPCapabilityBoundingSet=~CAP_CHOWN CAP_FSETID > CAP_SETFCAPCapabilityBoundingSet=~CAP_NET_RAWCapabilityBoundingSet=~CAP_IPC_LOCKNoNewPrivileges=yesProtectControlGroups=yesRestrictNamespaces=yesLockPersonality=yesMemoryDenyWriteExecute=yesRestrictRealtime=yesRestrictSUIDSGID=yesIPAddressDeny=anyLimitMEMLOCK=0# > RemoveIPC= service runs as root# System calls > SystemCallFilter=@system-service @resourcesSystemCallFilter=~@debug @mount > @cpu-emulation @obsolete @clock @swap @reboot @module > @privilegedSystemCallFilter=@system-service @resources > @privilegedSystemCallFilter=~@debug @mount @cpu-emulation @obsolete @clock > @swap @reboot @moduleSystemCallArchitectures=native > >
