Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Hi Lennart, However, if we do this, then this needs to be a passive target, see systemd.special(7), under Special passive system units, and it should be documented in that section. Passive means it is pulled it by the units that implement a pre job, not by the units that implement the networking stack. This way it doesn't get added to the initial transaction unless there's actually some service that needs to be pulled in. See the man page for further discussion on this. I figure we don't really need network-pre.target, as units that want to run before the network is up should just use: Before=systemd-networkd.service basic.target From my v3 patch cover letter in reply to Zbyszek: Before=basic.target means lots of totally unrelated units can't be started in parallel to the firewall. More importantly, you'd also need RequiredBy=basic.target to make the network fail closed if e.g. iptables can't load a module. But then you end up with a stump of a system. I don't know if this property can be fit into the passive unit model. Maybe the target should have a different name? THis is enough since network management services like NM are normal services, and networkd is the exception in being available from earliest boot on, including in the initrd. I've never used systemd inside an initrd, but wouldn't DefaultDependencies=false make the target work in both both early and late systemd? Rusty signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Lennart Poettering: I am not convinced that the firewall being broken should break the boot. It shouldn't! But there should be at least an option (arguably the default) to break *connectivity*. With the v1-v3 patches that's decided by the firewall service, which chooses if it is RequiredBy=, or WantedBy=, network-pre.target. Anyway, this is implemented now, please have a look (see other mail). Please don't release this as is. Fail-open firewall activation will get many people in trouble. Rusty signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Lennart Poettering: On Wed, 11.06.14 11:13, Rusty Bird (rustyb...@openmailbox.org) wrote: Lennart Poettering: I am not convinced that the firewall being broken should break the boot. It shouldn't! But there should be at least an option (arguably the default) to break *connectivity*. well, but that's better solved with the firewalling logic itself. For example by first installing a drop-all rule in the tables, which is finally removed when all updated have been made. Should the script fail, then the firewall will not let any data through, and you should be fine. I don't think it's possible to implement a fail-closed logic inside the firewall payload: For example, the netfilter module could be missing after a kernel upgrade, or a dynamically linked iptables binary could be broken by a library upgrade, etc. Then you'll be unable to insert a drop-all rule. I am not convinced that the init system should be involved in such a logic. Isn't it troubling that the status quo requires so much unintuitive and undocumented busywork from each user? For a security-critical component! I mean, let's survey the landscape: - Arch and Gentoo ship unsafe iptables-restore services, as do probably most other distros. - Folks on this mailing list who are more familiar with systemd than I'll ever be proposed sensible looking dependency specifications, but they turned out to be unsafe, too. These DIY contraptions have some razor sharp edges. So why not factor out the correct logic, at seemingly no cost beyond the minimal overhead for an empty target? Rusty signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Hi Leonid, On Sun, Jun 08, 2014 at 12:33:44PM +, Rusty Bird wrote: Adding to Djalal's and Mantas's examples, the systemd host may also be a gateway with its firewall configured to forward only *some* packets. If systemd itself is a server (you mean journald really, yes?) systemd host = The machine that systemd runs on In the example, this machine is a gateway/router, so it's the Linux kernel (not systemd itself or any service) that receives packets from other machines in your network and forwards them towards their destination. how can I protect the machine with yet another target? Why there is no way to tell systemd directly to start listening only after network.target is up? On a related note, what do you do about things like sshd.socket (or crap like cups.socket) which are not ordered against anything network-related? network-pre.target is intended to block the initial configuration of the network interfaces (your Ethernet card, your WiFi radio) so that it doesn't matter what software component is listening for, or trying to send, packets: The machine remains cut off from all* network links until the firewall initialization succeeds. * Except, if you bring up a network interface during early boot, e.g. using the kernel parameter ip= or an initramfs. In that case, it's your own responsibility to bring it down before systemd takes over. If you care about leaks. Rusty signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH v3] Add a network-pre.target to avoid firewall leaks
https://bugs.freedesktop.org/show_bug.cgi?id=79600 --- Hi Zbigniew, Currently my iptables.service has Before=basic.target. Why is doing something like that not enough? Before=basic.target means lots of totally unrelated units can't be started in parallel to the firewall. More importantly, you'd also need RequiredBy=basic.target to make the network fail closed if e.g. iptables can't load a module. But then you end up with a stump of a system. If it is added, the documentation for the target should be added to systemd.special(7), we don't want to have a separate man page for every target. ok Also, Description= is part of the documentation, and it should be changed to something meaningful. I used the pattern from the existing *-pre.target units. Changing it to Description=No Network Yet, which sounds decent enough in Starting ___ and Reached target ___. +paraFirewall services should order themselves varnameBefore=/varname, and +declare a varnameRequiredBy=/varname relation to, varnamenetwork-pre.target/varname. +Once enabled, their failure to start will impede network communication, avoiding +dangerous leaks./para dangerous leaks is unclear and imprecise. Once enabled, their failure to start will impede the configuration of network interfaces, preventing unfiltered communication. +para(These usages are compatible with older versions of systemd that do not ship +varnamenetwork-pre.target/varname, because relations to missing units are +dropped.)/para This is not true. Require=network-pre.target will prevent a service from being started if network-pre.target unit is not present. Damn, I may have tested that using Require= (note the missing s). Getting NetworkManager, netctl etc. on board with the convention suddenly looks like it might take a while. :( +RefuseManualStart=yes Why? Also copied from *-pre.target. Removing it now so desperate admins can run systemctl --job-mode=ignore-dependencies start network-pre.target Rusty Makefile.am | 1 + man/systemd.special.xml | 23 +++ units/network-pre.target | 10 ++ units/network.target | 9 + units/systemd-networkd.service.in | 3 ++- 5 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 units/network-pre.target diff --git a/Makefile.am b/Makefile.am index a2a01d0..712c116 100644 --- a/Makefile.am +++ b/Makefile.am @@ -414,6 +414,7 @@ dist_systemunit_DATA = \ units/remote-fs-pre.target \ units/network.target \ units/network-online.target \ + units/network-pre.target \ units/nss-lookup.target \ units/nss-user-lookup.target \ units/hibernate.target \ diff --git a/man/systemd.special.xml b/man/systemd.special.xml index 8c2..7599f27 100644 --- a/man/systemd.special.xml +++ b/man/systemd.special.xml @@ -72,6 +72,7 @@ filenamemulti-user.target/filename, filenamenetwork.target/filename, filenamenetwork-online.target/filename, +filenamenetwork-pre.target/filename, filenamenss-lookup.target/filename, filenamenss-user-lookup.target/filename, filenamepaths.target/filename, @@ -453,6 +454,28 @@ /listitem /varlistentry varlistentry + termfilenamenetwork-pre.target/filename/term +listitem +paraThis special target is intended to be +activated before any network interface +configuration begins./para + +paraNetwork interface configuration +services must varnameRequire=/varname, +and order themselves varnameAfter=/varname, + varnamenetwork-pre.target/varname./para + +paraFirewall services should order +themselves varnameBefore=/varname, and +declare a varnameRequiredBy=/varname +relation to, varnamenetwork-pre.target/varname. +Once enabled, their failure to start will +impede the configuration of network +interfaces, preventing unfiltered +communication./para +/listitem +/varlistentry +varlistentry
Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Leonid Isaev: But by the time network.target is reached there are no listening services yet, are there? So, why would one need a firewall? Adding to Djalal's and Mantas's examples, the systemd host may also be a gateway with its firewall configured to forward only *some* packets. Rusty signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Andrey Borzenkov: В Fri, 06 Jun 2014 12:53:01 + Rusty Bird rustyb...@openmailbox.org пишет: --- a/man/systemd.special.xml +++ b/man/systemd.special.xml @@ -71,6 +71,7 @@ filenamelocal-fs-pre.target/filename, filenamemulti-user.target/filename, filenamenetwork.target/filename, +filenamenetwork-pre.target/filename, filenamenetwork-online.target/filename, filenamenss-lookup.target/filename, filenamenss-user-lookup.target/filename, That's rather terse documentation :) What, can't you read my thoughts or something. I'll reply with a v2 patch that includes a manpage. Rusty signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH v2] Add a network-pre.target to avoid firewall leaks
https://bugs.freedesktop.org/show_bug.cgi?id=79600 --- Makefile.am | 1 + man/network-pre.target.xml| 82 +++ units/network-pre.target | 11 ++ units/network.target | 8 units/systemd-networkd.service.in | 3 +- 5 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 man/network-pre.target.xml create mode 100644 units/network-pre.target diff --git a/Makefile.am b/Makefile.am index a2a01d0..79adc34 100644 --- a/Makefile.am +++ b/Makefile.am @@ -413,6 +413,7 @@ dist_systemunit_DATA = \ units/remote-fs.target \ units/remote-fs-pre.target \ units/network.target \ + units/network-pre.target \ units/network-online.target \ units/nss-lookup.target \ units/nss-user-lookup.target \ diff --git a/man/network-pre.target.xml b/man/network-pre.target.xml new file mode 100644 index 000..db52b33 --- /dev/null +++ b/man/network-pre.target.xml @@ -0,0 +1,82 @@ +?xml version='1.0'? !--*-nxml-*-- +!DOCTYPE refentry PUBLIC -//OASIS//DTD DocBook XML V4.2//EN +http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd; + +!-- + This file is part of systemd. + + Copyright 2014 Tom Gundersen + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see http://www.gnu.org/licenses/. +-- + +refentry id=network-pre.target + +refentryinfo +titlenetwork-pre.target/title +productnamesystemd/productname + +authorgroup +author +contribDeveloper/contrib +firstnameRusty/firstname +surnameBird/surname +emailrustyb...@openmailbox.org/email +/author +/authorgroup +/refentryinfo + +refmeta +refentrytitlenetwork-pre.target/refentrytitle +manvolnum8/manvolnum +/refmeta + +refnamediv +refnamenetwork-pre.target/refname +refpurposeNetwork interface configuration has not yet begun/refpurpose +/refnamediv + +refsect1 +titleDescription/title + +paravarnamenetwork-pre.target/varname is a systemd target intended to be +activated before any network interface configuration begins./para +/refsect1 + +refsect1 +titleUsage/title + +paraNetwork interface configuration services must varnameRequire=/varname, +and order themselves varnameAfter=/varname, varnamenetwork-pre.target/varname./para + +paraFirewall services should order themselves varnameBefore=/varname, and +declare a varnameRequiredBy=/varname relation to, varnamenetwork-pre.target/varname. +Once enabled, their failure to start will impede network communication, avoiding +dangerous leaks./para + +para(These usages are compatible with older versions of systemd that do not ship +varnamenetwork-pre.target/varname, because relations to missing units are +dropped.)/para +/refsect1 + +refsect1 +titleSee Also/title +para + citerefentryrefentrytitlesystemd/refentrytitlemanvolnum1/manvolnum/citerefentry, + citerefentryrefentrytitlesystemd.target/refentrytitlemanvolnum5/manvolnum/citerefentry + citerefentryrefentrytitlesystemd.unit/refentrytitlemanvolnum5/manvolnum/citerefentry +/para +/refsect1 + +/refentry diff --git a/units/network-pre.target b/units/network-pre.target new file mode 100644 index 000..0d4d363 --- /dev/null +++ b/units/network-pre.target @@ -0,0 +1,11 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Network (Pre) +Documentation=man:network-pre.target(8) +RefuseManualStart=yes diff --git a/units/network.target b/units/network.target index 65fc64b..b80a8cc 100644 ---
[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
https://bugs.freedesktop.org/show_bug.cgi?id=79600 --- Makefile.am | 1 + man/systemd.special.xml | 1 + units/network-pre.target | 11 +++ units/network.target | 2 ++ units/systemd-networkd.service.in | 3 ++- 5 files changed, 17 insertions(+), 1 deletion(-) create mode 100644 units/network-pre.target diff --git a/Makefile.am b/Makefile.am index a2a01d0..79adc34 100644 --- a/Makefile.am +++ b/Makefile.am @@ -413,6 +413,7 @@ dist_systemunit_DATA = \ units/remote-fs.target \ units/remote-fs-pre.target \ units/network.target \ + units/network-pre.target \ units/network-online.target \ units/nss-lookup.target \ units/nss-user-lookup.target \ diff --git a/man/systemd.special.xml b/man/systemd.special.xml index 8c2..7515cf8 100644 --- a/man/systemd.special.xml +++ b/man/systemd.special.xml @@ -71,6 +71,7 @@ filenamelocal-fs-pre.target/filename, filenamemulti-user.target/filename, filenamenetwork.target/filename, +filenamenetwork-pre.target/filename, filenamenetwork-online.target/filename, filenamenss-lookup.target/filename, filenamenss-user-lookup.target/filename, diff --git a/units/network-pre.target b/units/network-pre.target new file mode 100644 index 000..0c4a0ca --- /dev/null +++ b/units/network-pre.target @@ -0,0 +1,11 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Network (Pre) +Documentation=man:systemd.special(7) +RefuseManualStart=yes diff --git a/units/network.target b/units/network.target index 65fc64b..6966035 100644 --- a/units/network.target +++ b/units/network.target @@ -9,3 +9,5 @@ Description=Network Documentation=man:systemd.special(7) Documentation=http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget +Requires=network-pre.target +After=network-pre.target diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 373ac4e..8e4d213 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -9,8 +9,9 @@ Description=Network Service Documentation=man:systemd-networkd.service(8) DefaultDependencies=no -After=dbus.service +After=dbus.service network-pre.target Before=network.target +Requires=network-pre.target Wants=network.target ConditionCapability=CAP_NET_ADMIN -- 2.0.0 signature.asc Description: OpenPGP digital signature ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel