From 1e1a658f7869807ca31ebc15a71ba34a5b64c9d0 Mon Sep 17 00:00:00 2001 From: Rahul Sundaram Date: Wed, 28 Feb 2024 13:19:03 -0500 Subject: [PATCH 1/2] Update Systemd security settings --- src/units/system/dbus-broker.service.in | 20 +++++++++++++++++--- src/units/user/dbus-broker.service.in | 17 +++++++++++++++++ 2 files changed, 34 insertions(+), 3 deletions(-) diff --git a/src/units/system/dbus-broker.service.in b/src/units/system/dbus-broker.service.in index cc5ae361..cf01890c 100644 --- a/src/units/system/dbus-broker.service.in +++ b/src/units/system/dbus-broker.service.in @@ -12,11 +12,25 @@ Type=notify Sockets=dbus.socket OOMScoreAdjust=-900 LimitNOFILE=16384 -ProtectSystem=full -PrivateTmp=true -PrivateDevices=true ExecStart=@bindir@/dbus-broker-launch --scope system --audit ExecReload=@bindir@/busctl call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=true +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=full +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native [Install] Alias=dbus.service diff --git a/src/units/user/dbus-broker.service.in b/src/units/user/dbus-broker.service.in index 15de0d5b..1fda67e0 100644 --- a/src/units/user/dbus-broker.service.in +++ b/src/units/user/dbus-broker.service.in @@ -13,6 +13,23 @@ Sockets=dbus.socket ExecStart=@bindir@/dbus-broker-launch --scope user ExecReload=@bindir@/busctl --user call org.freedesktop.DBus /org/freedesktop/DBus org.freedesktop.DBus ReloadConfig Slice=session.slice +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=true +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=full +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native [Install] Alias=dbus.service From ec400a1007e59792d00004a319f0bcb84f53bbbc Mon Sep 17 00:00:00 2001 From: Rahul Sundaram Date: Mon, 11 Mar 2024 17:31:55 -0400 Subject: [PATCH 2/2] Systemd security settings --- src/units/system/dbus-broker.service.in | 2 +- src/units/user/dbus-broker.service.in | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/units/system/dbus-broker.service.in b/src/units/system/dbus-broker.service.in index cf01890c..cb90ba3c 100644 --- a/src/units/system/dbus-broker.service.in +++ b/src/units/system/dbus-broker.service.in @@ -18,7 +18,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes -PrivateTmp=true +PrivateTmp=yes ProtectClock=yes ProtectControlGroups=yes ProtectHome=yes diff --git a/src/units/user/dbus-broker.service.in b/src/units/user/dbus-broker.service.in index 1fda67e0..079c46ad 100644 --- a/src/units/user/dbus-broker.service.in +++ b/src/units/user/dbus-broker.service.in @@ -17,7 +17,7 @@ LockPersonality=yes MemoryDenyWriteExecute=yes NoNewPrivileges=yes PrivateDevices=yes -PrivateTmp=true +PrivateTmp=yes ProtectClock=yes ProtectControlGroups=yes ProtectHome=read-only