Bug#816456: openntpd: Please use systemd sandboxing

Sun, 08 May 2016 10:27:35 -0700 

Control: tags -1 patch

Dear dererk,

Here is a patch that implements the suggested change.
Note that ProtectSystem=full was replaced by more restrictive settings:

> # Makes the system read-only (in the daemon's namespace)
> #  and prevent access to the logs
> ReadOnlyDirectories=/
> ReadWriteDirectories=/var/run
> ReadWriteDirectories=/var/lib/openntpd
> InaccessibleDirectories=/var/log

The configuration change suggested here was tested on stretch, like the 
original one.
For some reason that I haven't elucidated yet, it fails on jessie, but this is
  likely not an issue (it wouldn't be sent to stable anyhow).


Best,

  nicoo

From 1ebb3d50a35d2163b22a6e514ccb8d4687cbfead Mon Sep 17 00:00:00 2001
From: Nicolas Braud-Santoni <nico...@braud-santoni.eu>
Date: Sun, 8 May 2016 19:13:45 +0200
Subject: [PATCH] Use systemd sandboxing

---
 debian/changelog        |  6 ++++++
 debian/openntpd.service | 26 ++++++++++++++++++++++++++
 2 files changed, 32 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 6bae66c..7b760c0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+openntpd (1:5.7p4-4) unstable; urgency=medium
+
+  * Use systemd's sandboxing (Closes: 816456)
+
+ --
+
 openntpd (1:5.7p4-3) unstable; urgency=medium
 
   * Add support for GNU/kFreeBSD arc4random (Closes: 815302).
diff --git a/debian/openntpd.service b/debian/openntpd.service
index 311e0c6..9289fc0 100644
--- a/debian/openntpd.service
+++ b/debian/openntpd.service
@@ -3,6 +3,7 @@ Description=OpenNTPd Network Time Protocol
 Conflicts=systemd-timesyncd.service
 After=network.target
 
+
 [Service]
 Type=forking
 EnvironmentFile=-/etc/default/openntpd
@@ -10,5 +11,30 @@ ExecStart=/usr/sbin/ntpd $DAEMON_OPTS
 Restart=on-failure
 RuntimeDirectory=openntpd
 
+## Sandboxing features.  See systemd.exec(5)
+# The service gets its own instance of {/var,}/tmp
+PrivateTmp=true
+
+# Only exposes API pseudo-devices (/dev/null, zero, random)
+PrivateDevices=true
+
+# Makes the system read-only (in the daemon's namespace)
+#  and prevent access to the logs
+ReadOnlyDirectories=/
+ReadWriteDirectories=/var/run
+ReadWriteDirectories=/var/lib/openntpd
+InaccessibleDirectories=/var/log
+
+# Prevents access to /home, /root and /run/user
+ProtectHome=true
+
+# Bounds the daemon's privileges.
+#  See capabilities(7) and
+#  /usr/share/doc/linux-doc-*/Documentation/prctl/no_new_privs.txt.gz
+CapabilityBoundingSet=CAP_SYS_TIME CAP_NET_BIND_SERVICE CAP_SYSLOG
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_SYS_CHROOT
+NoNewPrivileges=true
+
+
 [Install]
 WantedBy=multi-user.target
-- 
2.8.1

Attachment: signature.asc
Description: PGP signature

Reply via email to