From 34a8c6864d69752326a7d09046886920ec76cfbf Mon Sep 17 00:00:00 2001 From: Alexandre Iooss Date: Thu, 26 Aug 2021 17:34:00 +0200 Subject: [PATCH] dist: Set ProtectClock, RestrictAddressFamilies and CapabilityBoundingSet This increases the isolation of Maddy service. Maddy capabilities can be bound to only CAP_NET_BIND_SERVICE. This also restricts the service to only use Unix sockets, IPv4 and IPv6. --- dist/systemd/maddy.service | 3 +++ dist/systemd/maddy@.service | 3 +++ 2 files changed, 6 insertions(+) diff --git a/dist/systemd/maddy.service b/dist/systemd/maddy.service index 95df73dd..2377a9e4 100644 --- a/dist/systemd/maddy.service +++ b/dist/systemd/maddy.service @@ -29,7 +29,9 @@ ProtectHome=true ProtectSystem=strict ProtectKernelTunables=true ProtectHostname=true +ProtectClock=true ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Additional sandboxing. You need to disable all of these options # for privileged helper binaries (for system auth) to work correctly. @@ -50,6 +52,7 @@ KillSignal=SIGTERM # Required to bind on ports lower than 1024. AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE # Force all files created by maddy to be only readable by it. UMask=0027 diff --git a/dist/systemd/maddy@.service b/dist/systemd/maddy@.service index 9805f6fb..b056b6d3 100644 --- a/dist/systemd/maddy@.service +++ b/dist/systemd/maddy@.service @@ -25,7 +25,9 @@ PrivateHome=true ProtectSystem=strict ProtectKernelTunables=true ProtectHostname=true +ProtectClock=true ProtectControlGroups=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 DeviceAllow=/dev/syslog # Additional sandboxing. You need to disable all of these options @@ -46,6 +48,7 @@ KillSignal=SIGTERM # Required to bind on ports lower than 1024. AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE # Force all files created by maddy to be only readable by it. UMask=0027