tailscaled.service: Lock down clock and /dev (#1071)
Research in issue #1063 uncovered why tailscaled would fail with ProtectClock enabled (it implicitly enabled DevicePolicy=closed). This knowledge in turn also opens the door for locking down /dev further, e.g. explicitly setting DevicePolicy=strict (instead of closed), and making /dev private for the unit. Additional possible future (or downstream) lockdown that can be done is setting `PrivateDevices=true` (with `BindPaths=/dev/net/`), however, systemd 233 or later is required for this, and tailscaled currently need to work for systemd down to version 215. Closes https://github.com/tailscale/tailscale/issues/1063 Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>pull/957/head
Frederik “Freso” S. Olesen
Brad Fitzpatrick
parent
b5129dadfd
commit
83fccf9fe5
|
|
@ -20,9 +20,15 @@ CacheDirectory=tailscale
|
||||||
CacheDirectoryMode=0750
|
CacheDirectoryMode=0750
|
||||||
Type=notify
|
Type=notify
|
||||||
|
|
||||||
|
DeviceAllow=/dev/net/tun
|
||||||
|
DeviceAllow=/dev/null
|
||||||
|
DeviceAllow=/dev/random
|
||||||
|
DeviceAllow=/dev/urandom
|
||||||
|
DevicePolicy=strict
|
||||||
LockPersonality=true
|
LockPersonality=true
|
||||||
MemoryDenyWriteExecute=true
|
MemoryDenyWriteExecute=true
|
||||||
PrivateTmp=true
|
PrivateTmp=true
|
||||||
|
ProtectClock=true
|
||||||
ProtectControlGroups=true
|
ProtectControlGroups=true
|
||||||
ProtectHome=true
|
ProtectHome=true
|
||||||
ProtectKernelTunables=true
|
ProtectKernelTunables=true
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue