Package: slt Version: 0.0.git20140301-6+b3 Severity: normal Tags: patch Dear Maintainer,
currently the stl package lacks a systemd service. Attached you find one. The service contains my specific execution restrictions. Thus should help working around slt's lack of priviledge dropping. The systemd service is written by Konrad Mohrfeldt (kmo...@systemausfall.org) and released under the public domain. Feel free to re-license it. Cheers, Lars
[Unit] Description=TLS port multiplexer ConditionPathExists=/etc/slt/%i.yaml Wants=network.target [Service] Type=simple ExecStart=/usr/bin/slt /etc/slt/%i.yaml Restart=on-failure # Use systemd's ability to disable security-sensitive features # that slt does not explicitly need. NoNewPrivileges=True # slt only needs to bind to privileged ports, nothing else # see: https://man7.org/linux/man-pages/man7/capabilities.7.html CapabilityBoundingSet=CAP_NET_BIND_SERVICE # slt only executes native code with no need for any other ABIs. SystemCallArchitectures=native # Only allow system calls required by slt. # see: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter= # This should suffice, but doesn't work: # SystemCallFilter=@basic-io @ipc @io-event @network-io @process @signal SystemCallFilter=@system-service SystemCallFilter=~@resources @aio @chown @cpu-emulation @debug @memlock @keyring @module @mount @obsolete @privileged @raw-io @reboot @setuid @swap @sync @timer # ProtectSystem=strict disables write calls to the entire filesystem hierarchy, # leaving only /dev/, /proc/, and /sys/ writable. # slt doesn't need access to those so might as well disable them. ProtectSystem=strict PrivateDevices=True ProtectControlGroups=True ProtectKernelTunables=True # Make /home/, /root/, and /run/user/ inaccessible. ProtectHome=True # slt doesn't handle any specific device nodes # so we only allow common paths like /dev/null or /dev/random. DevicePolicy=closed # slt doesn't make use of linux namespaces. RestrictNamespaces=True # slt doesn't need realtime scheduling. RestrictRealtime=True # Make sure files created by slt are only readable by itself and # others in the slt system group. UMask=0027 # Disable memory mappings that are both writable and executable. MemoryDenyWriteExecute=True # slt doesn't make use of linux personality switching. LockPersonality=True # slt only needs to support the IPv4 and IPv6 address families. RestrictAddressFamilies=AF_INET AF_INET6 # slt doesn't need to load any linux kernel modules. ProtectKernelModules=True [Install] WantedBy=multi-user.target
