Package: memlockd
Version: 1.3-2.1+b1
Severity: normal
Tags: upstream patch

While memlockd is an unlikely target of attack everything should run with
minimum privs and this isn't a complex daemon and can be restricted a lot
while providing full functionality.  Here are a set of options that work
well when added to the .service file:

[Service]
# CAP_IPC_LOCK is needed to lock RAM
# CAP_SYS_PTRACE is needed to run ldd
# CAP_SETGID and CAP_SETUID are needed to run ldd as a different user
# CAP_DAC_OVERRIDE is needed to map files without Unix permissions granting read
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_SETUID CAP_SETGID CAP_SYS_PTRACE 
CAP_IPC_LOCK
#CapabilityBoundingSet=~CAP_CHOWN CAP_FOWNER CAP_FSETID CAP_KILL 
CAP_LINUX_IMMUTABLE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_ADMIN 
CAP_NET_RAW CAP_IPC_OWNER CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_CHROOT 
CAP_SYS_PACCT CAP_SYS_ADMIN
RestrictNamespaces=true
SystemCallFilter=~@mount @cpu-emulation @debug @raw-io @reboot @resources @swap 
@module @obsolete @clock
# @privileged
ProtectSystem=strict
ProtectProc=invisible
SystemCallArchitectures=native
UMask=077
NoNewPrivileges=true
ProtectKernelLogs=true
ProtectControlGroups=true
ProtectKernelModules=true
ProtectHome=true
PrivateTmp=true
MemoryDenyWriteExecute=true
ProtectHostname=true
LockPersonality=true
RestrictRealtime=true
DevicePolicy=closed
ProtectClock=true
RestrictSUIDSGID=true
ProtectKernelTunables=true
PrivateDevices=true
RestrictAddressFamilies=~AF_INET AF_INET6 AF_PACKET AF_NETLINK
PrivateNetwork=true

-- System Information:
Debian Release: 12.0
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 6.1.0-6-amd64 (SMP w/18 CPU threads; PREEMPT)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_AU:en
Shell: /bin/sh linked to /usr/bin/dash
Init: unable to detect

Versions of packages memlockd depends on:
ii  adduser  3.134
ii  libc6    2.36-9

memlockd recommends no packages.

memlockd suggests no packages.

-- debconf-show failed

Reply via email to