Bug#927883: knockd: Change ProtectSystem=true and add CAP_SYS_MODULE

Wed, 24 Apr 2019 08:28:03 -0700 

Package: knockd
Version: 0.7-1
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu eoan ubuntu-patch

Dear Maintainer,

any knockd configuration rules that call ufw fail because any ufw changes 
always update the ufw conf files in /etc/ufw/, but the knockd systemd service 
is started with ProtectSystem=full.

knockd's systemd service restricts its capabilities, so it's unable to load 
modules needed for changing iptables rules, e.g. ip6_tables module


In Ubuntu, the attached patch was applied to achieve the following:


  * d/knockd.service:
    - Change ProtectSystem to 'true', to allow using ufw in knockd rules
      (LP: #1823051)
    - Add CAP_SYS_MODULE so knockd can load iptables modules if needed
      (LP: #1825974)


Thanks for considering the patch.


-- System Information:
Debian Release: buster/sid
  APT prefers disco-updates
  APT policy: (500, 'disco-updates'), (500, 'disco-security'), (500, 'disco')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.0.0-8-generic (SMP w/24 CPU cores)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

diff -Nru knockd-0.7/debian/control knockd-0.7/debian/control
--- knockd-0.7/debian/control   2016-11-17 04:54:44.000000000 -0500
+++ knockd-0.7/debian/control   2019-04-23 06:31:56.000000000 -0400
@@ -1,8 +1,7 @@
 Source: knockd
 Section: net
 Priority: optional
-Maintainer: Ubuntu Developers <ubuntu-devel-disc...@lists.ubuntu.com>
-XSBC-Original-Maintainer: Leo Antunes <cost...@debian.org>
+Maintainer: Leo Antunes <cost...@debian.org>
 Build-Depends: debhelper (>= 9.20160709~), autotools-dev, libpcap0.8-dev
 Standards-Version: 3.9.8
 Homepage: http://www.zeroflux.org/projects/knock
diff -Nru knockd-0.7/debian/knockd.service knockd-0.7/debian/knockd.service
--- knockd-0.7/debian/knockd.service    2019-03-10 11:13:50.000000000 -0400
+++ knockd-0.7/debian/knockd.service    2019-04-23 06:31:56.000000000 -0400
@@ -9,8 +9,8 @@
 ExecReload=/bin/kill -HUP $MAINPID
 KillMode=mixed
 SuccessExitStatus=0 2 15
-ProtectSystem=full
-CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN
+ProtectSystem=true
+CapabilityBoundingSet=CAP_NET_RAW CAP_NET_ADMIN CAP_SYS_MODULE
 
 [Install]
 WantedBy=multi-user.target

Reply via email to