* Michael Biebl [Wed Oct 11, 2023 at 12:14:47PM +0200]:
> Am 11.10.23 um 08:03 schrieb Simon Richter:
> > On 10/11/23 03:22, Michael Biebl wrote:
> > 
> > > I intend to lock down rsyslog.service in Debian in one of the next
> > > uploads using the following systemd directives
> > 
> > > CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE
> > > CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE
> > > CAP_SYSLOG
> > 
> > Does it actually need CAP_NET_ADMIN and CAP_SYS_ADMIN?
> > 
> > Everything else looks good to me.
> 
> The list is based on
> https://github.com/rsyslog/rsyslog/pull/4999#issuecomment-1313362425
> 
> - CAP_NET_ADMIN: use of setsockopt()
> - CAP_SYS_ADMIN: exceed /proc/sys/fs/file-max, the system-wide limit on the
> number of open files, in system calls that open files (e.g. accept execve),
> use of setns(),...
> 
> I trimmed stuff like CAP_SETGID and CAP_SETUID, which the Debian package
> doesn't need.

Just in case you haven't seen it yet, be aware of the
CAP_DAC_OVERRIDE change for omprog module usage at
https://github.com/rsyslog/rsyslog/pull/5223

regards
-mika-

Attachment: signature.asc
Description: PGP signature

Reply via email to