Hi, (Not sure it's the right mailing-list to discuss about this, tell me if it's another one)
For your information, systemd offers several options to increase the security of each daemon based on cgroups, like Docker or rkt. For example: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Capabilities This approach permits to keep the classical Linux distribution daemons with simple maintenance actions via apt or yum + the same container security as a Docker image. A discussion has already started on Debian tracker: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863841 Based on this proposal, I made a new service override with extra security (see below). But now, I need your help for two parameters of systemd: 1. The list of minimal capabilities needed for bind to run correctly: http://man7.org/linux/man-pages/man7/capabilities.7.html 2. The list of minimal SystemCallFilter: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter= Where I could find the lists ? If you have other ideas to increase the security, I'm interested in: My objective is to propose this service file to be integrated in Debian and Fedora. Thanks for your feedback. The service override: [Service] CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID SystemCallFilter=~@mount @debug NoNewPrivileges=true PrivateDevices=true PrivateTmp=true ProtectHome=true ProtectSystem=strict ProtectKernelModules=true ProtectKernelTunables=true ProtectControlGroups=true InaccessiblePaths=/home InaccessiblePaths=/opt InaccessiblePaths=/root ReadWritePaths=/run/named ReadWritePaths=/var/cache/bind ReadWritePaths=/var/lib/bind -- Ludovic Gasc (GMLudo)
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
