Enable systemd hardening options for named

Petr Menšík pemensik at redhat.com
Wed Jan 31 20:47:18 UTC 2018 

Hi Ludovic,

On Fedora, CAP_DAC_OVERRIDE is not granted to bind, because it might be
dangerous feature. CAP_DAC_READ_SEARCH is a little bit safer, but still
might be unnecessary. It should be possible to run even without it with
careful permission configuration of keys and config files.

I think CAP_SYS_RESOURCE is required to automatically adjust maximum
number of file descriptors/sockets from configuration. But I am not 100%
about that.

I recently rejected request to change from Type=forking. Has anyone got
a patch for bind to support Type=notice systemd service? I would like to
get rid of pid file handling, but Type=simple will not work for me.

I am not sure if PrivateDevices=yes can be used by default on Fedora. We
package also named-pkcs11 version, which should be able to access
hardware tokens and accelerators. I doubt it would work with that. I
want them to still work if they worked until now. Normal variant might
use that, chroot already has its own empty /dev.

There is some nice page about this on Fedora wiki:
https://fedoraproject.org/wiki/Packaging:Systemd#Fields_to_avoid

Dne 15.1.2018 v 18:58 Ludovic Gasc napsal(a):
> Hi,
> 
> (Not sure it's the right mailing-list to discuss about this, tell me if
> it's another one)
> 
> For your information, systemd offers several options to increase the
> security of each daemon based on cgroups, like Docker or rkt.
> For
> example: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Capabilities
> 
> This approach permits to keep the classical Linux distribution daemons
> with simple maintenance actions via apt or yum + the same container
> security as a Docker image.
> 
> A discussion has already started on Debian tracker:
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863841
> 
> Based on this proposal, I made a new service override with extra
> security (see below).
> 
> But now, I need your help for two parameters of systemd:
> 1. The list of minimal capabilities needed for bind to run
> correctly: http://man7.org/linux/man-pages/man7/capabilities.7.html
> 2. The list of minimal
> SystemCallFilter: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
> 
> Where I could find the lists ?
> 
> If you have other ideas to increase the security, I'm interested in:
> My objective is to propose this service file to be integrated in Debian
> and Fedora.
> 
> Thanks for your feedback.
> 
> The service override:
> 
> [Service]
> CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID
> CAP_SETUID
> SystemCallFilter=~@mount @debug
> NoNewPrivileges=true
> PrivateDevices=true
> PrivateTmp=true
> ProtectHome=true
> ProtectSystem=strict
> ProtectKernelModules=true
> ProtectKernelTunables=true
> ProtectControlGroups=true
> InaccessiblePaths=/home
> InaccessiblePaths=/opt
> InaccessiblePaths=/root
> ReadWritePaths=/run/named
> ReadWritePaths=/var/cache/bind
> ReadWritePaths=/var/lib/bind
> 
> --
> Ludovic Gasc (GMLudo)
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
> 

-- 
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com  PGP: 65C6C973

More information about the bind-users mailing list