* Michael Biebl [Wed Oct 11, 2023 at 12:14:47PM +0200]: > Am 11.10.23 um 08:03 schrieb Simon Richter: > > On 10/11/23 03:22, Michael Biebl wrote: > > > > > I intend to lock down rsyslog.service in Debian in one of the next > > > uploads using the following systemd directives > > > > > CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE > > > CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE > > > CAP_SYSLOG > > > > Does it actually need CAP_NET_ADMIN and CAP_SYS_ADMIN? > > > > Everything else looks good to me. > > The list is based on > https://github.com/rsyslog/rsyslog/pull/4999#issuecomment-1313362425 > > - CAP_NET_ADMIN: use of setsockopt() > - CAP_SYS_ADMIN: exceed /proc/sys/fs/file-max, the system-wide limit on the > number of open files, in system calls that open files (e.g. accept execve), > use of setns(),... > > I trimmed stuff like CAP_SETGID and CAP_SETUID, which the Debian package > doesn't need.
Just in case you haven't seen it yet, be aware of the CAP_DAC_OVERRIDE change for omprog module usage at https://github.com/rsyslog/rsyslog/pull/5223 regards -mika-
signature.asc
Description: PGP signature
