debian/authd.service: Use even more restrictive access for authd (#740)

Limit the authd access on system resources even more, to prevent unexpected behaviors. UDENG-5583
ubuntu · Jan 20, 2025 · ab2da28 · ab2da28
2 parents ca8dc3b + c55b79b
commit ab2da28
Showing 1 changed file with 59 additions and 0 deletions.
diff --git a/debian/authd.service.in b/debian/authd.service.in
@@ -14,6 +14,8 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=true
 PrivateDevices=yes
 PrivateMounts=yes
+PrivateNetwork=yes
+RestrictAddressFamilies=AF_UNIX
 PrivateTmp=yes
 ProtectClock=yes
 ProtectControlGroups=yes
@@ -26,6 +28,63 @@ RestrictRealtime=yes
 RestrictSUIDSGID=yes
 SystemCallArchitectures=native
 
+# This always corresponds to /var/cache/authd
+CacheDirectory=authd
+CacheDirectoryMode=0700
+
+# This always corresponds to /var/lib/authd
+StateDirectory=authd
+StateDirectoryMode=0700
+
+# This always corresponds to /etc/authd
+ConfigurationDirectory=authd
+ConfigurationDirectoryMode=0700
+
+# Prevent writing to /usr and bootloader paths.
+# We don't use "full" or "strict", because home paths can be anywhere and so we need
+# to be able to write on / subfolders, excluding some we want to explicitly protect.
+ProtectSystem=true
+
+# This is similar to ProtectHome=read-only but we exclude /home since we may need to rename
+# the user directories
+ReadOnlyPaths=-/root
+ReadOnlyPaths=-/run/user
+
+# Deny access to places that we should not touch
+ReadOnlyPaths=-/bin
+ReadOnlyPaths=-/sbin
+ReadOnlyPaths=-/lib
+TemporaryFileSystem=/media:ro
+TemporaryFileSystem=/snap:ro
+TemporaryFileSystem=/var:ro
+BindReadOnlyPaths=-/var/run/dbus
+InaccessiblePaths=-/lost+found
+
+# We need to be able to change /etc/group and /etc/gshadow, this is not great
+# but it's required for local groups access. We can't just make those accessible
+# via TemporaryFileSystem + Binds because we'd still get a write failure on rename.
+ReadWritePaths=/etc
+
+# Still let's protect some important etc paths.
+BindReadOnlyPaths=-/etc/environment
+BindReadOnlyPaths=-/etc/fstab
+BindReadOnlyPaths=-/etc/localtime
+BindReadOnlyPaths=-/etc/login.defs
+BindReadOnlyPaths=-/etc/nsswitch.conf
+BindReadOnlyPaths=-/etc/passwd
+BindReadOnlyPaths=-/etc/shadow
+BindReadOnlyPaths=-/etc/subgid
+BindReadOnlyPaths=-/etc/sudo.conf
+BindReadOnlyPaths=-/etc/sudoers
+BindReadOnlyPaths=-/etc/sysctl.conf
+BindReadOnlyPaths=-/etc/timezone
+InaccessiblePaths=-/etc/apt
+InaccessiblePaths=-/etc/default
+InaccessiblePaths=-/etc/ssh
+InaccessiblePaths=-/etc/systemd
+ReadOnlyPaths=-/etc/pam.d
+ReadOnlyPaths=-/etc/security
+
 # Only permit system calls used by common system services, excluding any special purpose calls
 SystemCallFilter=@system-service