Package: bird2 Version: 2.0.7-4 Severity: wishlist Tags: patch X-Debbugs-Cc: j24...@gmail.com
Dear Maintainer, It would be nice if systemds service file could use the appropriate options instead of relying on an additional shell script (at least when systemd is used). This also allows to enable additional sand boxing options, e.g. prevent read access to /home. The attached patch is a suggestions and has been used in a similar form on my systems for quite a while now. Thanks for maintaining this package, bauen1 -- System Information: Debian Release: bullseye/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'unstable'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.7.0-1-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: SELinux: enabled - Mode: Enforcing - Policy name: refpolicy Versions of packages bird2 depends on: ii adduser 3.118 ii init-system-helpers 1.58 ii libc6 2.31-1 ii libreadline8 8.0-4 ii libssh-gcrypt-4 0.9.4-1 ii libtinfo6 6.2-1 ii lsb-base 11.1.0 ii ucf 3.0043 bird2 recommends no packages. Versions of packages bird2 suggests: pn bird2-doc <none> -- Configuration Files: /etc/init.d/bird [Errno 13] Permission denied: '/etc/init.d/bird' -- no debconf information
>From 1b531d931d5f0556099cc2168de115e4e5da89dc Mon Sep 17 00:00:00 2001 From: bauen1 <j24...@gmail.com> Date: Tue, 21 Jul 2020 19:23:41 +0200 Subject: [PATCH] Make use of systemd options instead of using a shell script This allows a more tight sandbox (e.g. preventing access to /home). --- debian/bird2.bird.service | 38 +++++++++++++++++++++++++++++++++++--- 1 file changed, 35 insertions(+), 3 deletions(-) diff --git a/debian/bird2.bird.service b/debian/bird2.bird.service index 37e75fb..e0a9b47 100644 --- a/debian/bird2.bird.service +++ b/debian/bird2.bird.service @@ -1,13 +1,45 @@ [Unit] -Description=BIRD Internet Routing Daemon +Description=BIRD 2.0 Internet Routing Daemon After=network.target [Service] EnvironmentFile=/etc/bird/envvars -ExecStartPre=/usr/lib/bird/prepare-environment + +User=$BIRD_RUN_USER +Group=$BIRD_RUN_GROUP +RuntimeDirectory=bird +NoNewPrivileges=true +AmbientCapabilities=CAP_NET_RAW CAP_NET_BIND CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_BIND_SERVICE + +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +LockPersonality=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +ProtectSystem=full +LockPersonality=true +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native + ExecStartPre=/usr/sbin/bird -p + +# birdc configure does not correctly set the exit code if the reload failed +# so by running `bird -p` the config is checked for errors and a correct error +# code is set +ExecReload=/usr/sbin/bird -p ExecReload=/usr/sbin/birdc configure -ExecStart=/usr/sbin/bird -f -u $BIRD_RUN_USER -g $BIRD_RUN_GROUP $BIRD_ARGS + +ExecStart=/usr/sbin/bird -f $BIRD_ARGS Restart=on-abort [Install] -- 2.28.0.rc1
