harden chronyd and chrony-wait services

2021-09-29 16:18:06 +02:00 · 2021-09-29 16:18:06 +02:00 · cdae473dfc
commit cdae473dfc
parent 49d1a1fef3
2 changed files with 125 additions and 2 deletions
--- a/chrony-services.patch
+++ b/chrony-services.patch
@ -0,0 +1,120 @@
 commit 83f96efdfd2d42a8de51ac3b05120acf5292bb00
 Author: Miroslav Lichvar <mlichvar@redhat.com>
 Date:   Wed Sep 29 15:25:48 2021 +0200
    examples: harden systemd services
    Add various settings to the example chronyd and chrony-wait services to
    decrease the exposure reported by the "systemd-analyze security"
    command. The original exposure was high as the analyzer does not check
    the actual process (e.g. that it dropped the root privileges or that it
    has its own seccomp filter).
    Limit read-write access to /run, /var/lib/chrony, and /var/spool.
    Access to /run (instead of /run/chrony) is needed for the refclock
    socket expected by gpsd.
    The mailonchange directive is most likely to break as it executes
    /usr/sbin/sendmail, which can do unexpected operations depending on the
    implementation. It should work with a setuid/setgid binary, but it is
    not expected to write outside of /var/spool and the private /tmp.
 diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
 index b3aa7aa2..72b028f2 100644
 --- a/examples/chrony-wait.service
 +++ b/examples/chrony-wait.service
@@ -16,5 +16,32 @@ TimeoutStartSec=180
 RemainAfterExit=yes
 StandardOutput=null
 +CapabilityBoundingSet=
 +DevicePolicy=closed
 +DynamicUser=yes
 +IPAddressAllow=localhost
 +IPAddressDeny=any
 +LockPersonality=yes
 +MemoryDenyWriteExecute=yes
 +PrivateDevices=yes
 +PrivateUsers=yes
 +ProcSubset=pid
 +ProtectClock=yes
 +ProtectControlGroups=yes
 +ProtectHome=yes
 +ProtectHostname=yes
 +ProtectKernelLogs=yes
 +ProtectKernelModules=yes
 +ProtectKernelTunables=yes
 +ProtectProc=invisible
 +ProtectSystem=strict
 +RestrictAddressFamilies=AF_INET AF_INET6
 +RestrictNamespaces=yes
 +RestrictRealtime=yes
 +SystemCallArchitectures=native
 +SystemCallFilter=@system-service
 +SystemCallFilter=~@privileged @resources
 +UMask=0777
 +
 [Install]
 WantedBy=multi-user.target
 diff --git a/examples/chronyd.service b/examples/chronyd.service
 index 289548cb..2cac6026 100644
 --- a/examples/chronyd.service
 +++ b/examples/chronyd.service
@@ -10,9 +10,40 @@ Type=forking
 PIDFile=/run/chrony/chronyd.pid
 EnvironmentFile=-/etc/sysconfig/chronyd
 ExecStart=/usr/sbin/chronyd $OPTIONS
 +
 +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE
 +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_KILL CAP_LEASE CAP_LINUX_IMMUTABLE
 +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_MKNOD CAP_SYS_ADMIN
 +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT
 +CapabilityBoundingSet=~CAP_SYS_PTRACE CAP_SYS_RAWIO CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM
 +DeviceAllow=char-pps rw
 +DeviceAllow=char-ptp rw
 +DeviceAllow=char-rtc rw
 +DevicePolicy=closed
 +LockPersonality=yes
 +MemoryDenyWriteExecute=yes
 +NoNewPrivileges=yes
 PrivateTmp=yes
 +ProcSubset=pid
 +ProtectControlGroups=yes
 ProtectHome=yes
 -ProtectSystem=full
 +ProtectHostname=yes
 +ProtectKernelLogs=yes
 +ProtectKernelModules=yes
 +ProtectKernelTunables=yes
 +ProtectProc=invisible
 +ProtectSystem=strict
 +ReadWritePaths=/run /var/lib/chrony
 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 +RestrictNamespaces=yes
 +RestrictSUIDSGID=yes
 +SystemCallArchitectures=native
 +SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
 +
 +# Adjust restrictions for /usr/sbin/sendmail (mailonchange directive)
 +NoNewPrivileges=no
 +ReadWritePaths=/var/spool
 +RestrictAddressFamilies=AF_NETLINK
 [Install]
 WantedBy=multi-user.target
 Avoid a SELinux issue
 diff --git a/examples/chrony-wait.service b/examples/chrony-wait.service
 index 72b028f2..57646950 100644
 --- a/examples/chrony-wait.service
 +++ b/examples/chrony-wait.service
@@ -18,7 +18,7 @@ StandardOutput=null
 CapabilityBoundingSet=
 DevicePolicy=closed
 -DynamicUser=yes
 +#DynamicUser=yes
 IPAddressAllow=localhost
 IPAddressDeny=any
 LockPersonality=yes
--- a/chrony.spec
+++ b/chrony.spec
@ -26,6 +26,8 @@ Source10:       https://github.com/mlichvar/clknetsim/archive/%{clknetsim_ver}/c
 Patch1:         chrony-nm-dispatcher-dhcp.patch
 # update seccomp filter for new glibc
 Patch2:         chrony-seccomp.patch
 # harden chronyd and chrony-wait services
 Patch3:         chrony-services.patch
 BuildRequires:  libcap-devel libedit-devel nettle-devel pps-tools-devel
 BuildRequires:  gcc gcc-c++ make bison systemd gnupg2
@ -58,18 +60,19 @@ service to other computers in the network.
 %{?gitpatch:%patch0 -p1}
 %patch1 -p1 -b .nm-dispatcher-dhcp
 %patch2 -p1 -b .seccomp
 %patch3 -p1 -b .services
 %{?gitpatch: echo %{version}-%{gitpatch} > version.txt}
 # review changes in packaged configuration files and scripts
 md5sum -c <<-EOF | (! grep -v 'OK$')
-        bc563c1bcf67b2da774bd8c2aef55a06  examples/chrony-wait.service
+        222e652b95027289877fa77146d3b9b1  examples/chrony-wait.service
        2d01b94bc1a7b7fb70cbee831488d121  examples/chrony.conf.example2
        96999221eeef476bd49fe97b97503126  examples/chrony.keys.example
        6a3178c4670de7de393d9365e2793740  examples/chrony.logrotate
        a7054c9352c07384bd7ea0477e6e8a8c  examples/chrony.nm-dispatcher.dhcp
        8f5a98fcb400a482d355b929d04b5518  examples/chrony.nm-dispatcher.onoffline
-        32c34c995c59fd1c3ad1616d063ae4a0  examples/chronyd.service
+        76c8a32a5ac6692a7f15f65e2b5f3239  examples/chronyd.service
 EOF
 # don't allow packaging without vendor zone