See also: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/751
"Each sandboxing option will need an individual merge requests and be reviewed and discussed one at a time. Patches welcome!"
Am 04.03.23 um 09:16 schrieb Michael Biebl:
Control: tags -1 + upstream Hi Russel,it's definitely too late to do that for bookworm, so it will have to wait for trixie.This also would benefit from upstream feedback and is ideally applied directly to the upstream provided NetworkManager.service.Could you thus raise this at https://gitlab.freedesktop.org/NetworkManager/NetworkManager/ please?Michael Am 04.03.23 um 03:55 schrieb Russell Coker:Package: network-manager Version: 1.42.0-1 Severity: normal Tags: patchHere is a set of additions to the systemd security policy for this. I have tested them with wifi networking and they work. They need more testing before including in Debian. We may be able to get a few of them at a suitable levelof testing for the freeze but probably not most of them. [Service] # no new privs is an obvious one, no setuid programs etc run NoNewPrivileges=true # protecting kernel logs should be safe ProtectKernelLogs=true # this program does no CG or namespace management ProtectControlGroups=true RestrictNamespaces=true # protecting modules is probably safe ProtectKernelModules=true # changing system call arch and personality not needed SystemCallArchitectures=native LockPersonality=true # should be safe probably has no real impact UMask=077 # tested and seems to work, should be obvious if it breaks thingfs PrivateTmp=true# this would obviously break if it was needed, well written programs wont need itMemoryDenyWriteExecute=true # no need for realtime stuff RestrictRealtime=true # no need to create SETUID/SETGID programs RestrictSUIDSGID=true # not sure it needs rfkill, definitely doesnt need most devices DeviceAllow=/dev/rfkill DevicePolicy=closed # dhcp hostname and ntp should be a different process, right? ProtectHostname=true ProtectClock=true # only needs the @resources groupSystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @swap @obsolete @privileged# SE Linux does not allow CAP_SYS_CHROOT CapabilityBoundingSet=~CAP_SYS_CHROOT
OpenPGP_signature
Description: OpenPGP digital signature
