Package: memlockd Version: 1.3-2.1+b1 Severity: normal Tags: upstream patch
While memlockd is an unlikely target of attack everything should run with minimum privs and this isn't a complex daemon and can be restricted a lot while providing full functionality. Here are a set of options that work well when added to the .service file: [Service] # CAP_IPC_LOCK is needed to lock RAM # CAP_SYS_PTRACE is needed to run ldd # CAP_SETGID and CAP_SETUID are needed to run ldd as a different user # CAP_DAC_OVERRIDE is needed to map files without Unix permissions granting read CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_SYS_PTRACE CAP_IPC_LOCK #CapabilityBoundingSet=~CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_KILL CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN CAP_NET_RAW CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT CAP_SYS_PACCT CAP_SYS_ADMIN RestrictNamespaces=true SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @resources @swap @module @obsolete @clock # @privileged ProtectSystem=strict ProtectProc=invisible SystemCallArchitectures=native UMask=077 NoNewPrivileges=true ProtectKernelLogs=true ProtectControlGroups=true ProtectKernelModules=true ProtectHome=true PrivateTmp=true MemoryDenyWriteExecute=true ProtectHostname=true LockPersonality=true RestrictRealtime=true DevicePolicy=closed ProtectClock=true RestrictSUIDSGID=true ProtectKernelTunables=true PrivateDevices=true RestrictAddressFamilies=~AF_INET AF_INET6 AF_PACKET AF_NETLINK PrivateNetwork=true -- System Information: Debian Release: 12.0 Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.1.0-6-amd64 (SMP w/18 CPU threads; PREEMPT) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), LANGUAGE=en_AU:en Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages memlockd depends on: ii adduser 3.134 ii libc6 2.36-9 memlockd recommends no packages. memlockd suggests no packages. -- debconf-show failed

