Am 15.01.2018 um 18:58 schrieb Ludovic Gasc:
Hi,
(Not sure it's the right mailing-list to discuss about this, tell me if
it's another one)
For your information, systemd offers several options to increase the
security of each daemon based on cgroups, like Docker or rkt.
For example:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Capabilities
This approach permits to keep the classical Linux distribution daemons
with simple maintenance actions via apt or yum + the same container
security as a Docker image.
A discussion has already started on Debian tracker:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863841
Based on this proposal, I made a new service override with extra
security (see below).
But now, I need your help for two parameters of systemd:
1. The list of minimal capabilities needed for bind to run correctly:
http://man7.org/linux/man-pages/man7/capabilities.7.html
2. The list of minimal SystemCallFilter:
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#SystemCallFilter=
Where I could find the lists ?
you can not limit syscallfilter that way because every software or glibc
update could change the used ones as well as previously unknown may get
added like random generator recently - blacklisting them is the way to go
[root@srv-rhsoft:~/updateservice/subversion]$ cat
/etc/systemd/system/named.service
[Unit]
Description=DNS Server
After=network.service systemd-networkd.service network-online.target
network-wan-bridge.service network-wlan-bridge.service openvpn.service
[Service]
Type=simple
ExecStartPre=/usr/libexec/setup-named-chroot.sh /var/named/chroot on
ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z
/etc/named.conf
ExecStart=/usr/sbin/named -4 -f -u named -t /var/named/chroot
ExecReload=/usr/bin/kill -HUP $MAINPID
ExecStop=/usr/bin/kill -TERM $MAINPID
ExecStopPost=/usr/libexec/setup-named-chroot.sh /var/named/chroot off
TimeoutSec=25
Restart=always
RestartSec=1
PrivateTmp=yes
PrivateDevices=yes
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_SYS_ADMIN
CAP_DAC_OVERRIDE CAP_KILL CAP_NET_ADMIN CAP_NET_BIND_SERVICE
CAP_NET_BROADCAST CAP_NET_RAW CAP_IPC_LOCK CAP_SYS_CHROOT
SystemCallFilter=~acct modify_ldt add_key adjtimex clock_adjtime
delete_module fanotify_init finit_module get_mempolicy init_module
io_destroy io_getevents iopl ioperm io_setup io_submit io_cancel kcmp
kexec_load keyctl lookup_dcookie migrate_pages move_pages
open_by_handle_at perf_event_open process_vm_readv process_vm_writev
ptrace remap_file_pages request_key set_mempolicy swapoff swapon uselib
vmsplice
ReadOnlyDirectories=/etc
ReadOnlyDirectories=/usr
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
