From 83fccf9fe56546d3fc265ace4e1265174a946b40 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Frederik=20=E2=80=9CFreso=E2=80=9D=20S=2E=20Olesen?=
 <freso.dk@gmail.com>
Date: Sun, 27 Dec 2020 13:04:36 +0100
Subject: [PATCH] tailscaled.service: Lock down clock and /dev (#1071)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Research in issue #1063 uncovered why tailscaled would fail with
ProtectClock enabled (it implicitly enabled DevicePolicy=closed).

This knowledge in turn also opens the door for locking down /dev
further, e.g. explicitly setting DevicePolicy=strict (instead of
closed), and making /dev private for the unit.

Additional possible future (or downstream) lockdown that can be done
is setting `PrivateDevices=true` (with `BindPaths=/dev/net/`), however,
systemd 233 or later is required for this, and tailscaled currently need
to work for systemd down to version 215.

Closes https://github.com/tailscale/tailscale/issues/1063

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
---
 cmd/tailscaled/tailscaled.service | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cmd/tailscaled/tailscaled.service b/cmd/tailscaled/tailscaled.service
index 447b9cb21..878e86341 100644
--- a/cmd/tailscaled/tailscaled.service
+++ b/cmd/tailscaled/tailscaled.service
@@ -20,9 +20,15 @@ CacheDirectory=tailscale
 CacheDirectoryMode=0750
 Type=notify
 
+DeviceAllow=/dev/net/tun
+DeviceAllow=/dev/null
+DeviceAllow=/dev/random
+DeviceAllow=/dev/urandom
+DevicePolicy=strict
 LockPersonality=true
 MemoryDenyWriteExecute=true
 PrivateTmp=true
+ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectKernelTunables=true