From patchwork Thu Apr 4 11:22:59 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Topi Miettinen X-Patchwork-Id: 1077415 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.infradead.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="X2IHb6ih"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="Y2nT5+gH"; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 44ZmtC1dR4z9sPP for ; Fri, 5 Apr 2019 02:23:15 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender:List-Subscribe:List-Help :List-Post:List-Archive:List-Unsubscribe:List-Id:Content-Type:MIME-Version: Date:Message-ID:Subject:From:To:Reply-To:Cc:Content-Transfer-Encoding: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Owner; bh=Es/OtfqC8KD7fhOkalhMRgg1cxaVhWyHfrAJW5KZOxo=; b=X2IHb6iho8pT5VlLVicHzpE3Ju 1F7poyo+yp+reH6axlsPAn/L0xhgRpn2V915mHTGpiDELmh3Ae2ayUUTxdr99jsRa6mPhf+CrPcGT xyHry8dSng+DnI8PvCeXBPAxjqn/TuVNTWNJCG+PnFRB4u6eGzXNOqBycFBvzVMew80mLG9GNL+7C 6D8HXUvI2VeaFcF5aKALFydzzoceJtqD3Z6UcRAk7EOLJ4vlMHydJdkI6XcTA1ThEjDXe2FQB2z/b qAnsBQTnkxTAU3TRzxS++EjbG5VR5voR5jbj5UwmxxMW7NsoDbmN7dxtOk2kX8vqE1Kas70WgiYgY jHhjvAyw==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.90_1 #2 (Red Hat Linux)) id 1hC4Cu-0001nf-A4; Thu, 04 Apr 2019 15:23:12 +0000 Received: from mail-lf1-x12e.google.com ([2a00:1450:4864:20::12e]) by bombadil.infradead.org with esmtps (Exim 4.90_1 #2 (Red Hat Linux)) id 1hC0SW-000609-2c for hostap@lists.infradead.org; Thu, 04 Apr 2019 11:23:05 +0000 Received: by mail-lf1-x12e.google.com with SMTP id m13so1493633lfb.6 for ; Thu, 04 Apr 2019 04:23:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=to:from:subject:message-id:date:user-agent:mime-version; bh=n1TIz8mowtFD+3VS/PFQq97zM8iV9oJLvIeuCWjKkaQ=; b=Y2nT5+gHFDTBWSMpRUAUzKfltDdJxPv28/JO6rUh+aqSImo9brmNHYJX2Fhf5WR3cf NRIEqItq9HrK4QNwWlwayTprunMLe2M4wq5t3FEsBSXfsXctGaKFyPgZopJz331z9KY0 FjvKCzLUzGG/170kk4RYeXu/fTbMUHF9Esp/iOshHwLkiMHx6RIj1n7Xpqe/KpE++1/h QTwARaiGZgsh8FXesZ/9kg4mcrCabWNOgc78NyU2NsKcvrgZ/Jt7osAWMq4UYyorXI+m lxiapZ/rZ/cGed5bPeKtk4SyvI9V0D9TOs3q4XS684R0qTVuyHSUkuwbZDEvJI5jKE1z RE9g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version; bh=n1TIz8mowtFD+3VS/PFQq97zM8iV9oJLvIeuCWjKkaQ=; b=KXELmxyI0IvEK7Ol38ENydLWhtDJTU022C25DNUTUE1ffHYzhtFsjfVokjTeScLth/ e0YDpb2G1Hus+Mwmy7tW+qs05dms2z1cYECSu8xmr0Q0UsNjNL8nshhgtTOdHmPxVkoO 4udUVtEtla7oCZV72Jjirc3BDU7sV2BbxnvHDbKJnngXZumrrhKybwwP6KQ3eWwUkE50 C2iTZbDkSuLRqTzUppQPWm2F9wRgGEOKpdthVmra7rViTr/5gE44Zk0wjNNcErxplESM UwjUxB4V5XNVh16GlsHy7Ia12mfbFF8z1pZQvDYFI+PMTsT10t1cD4HKsbKpKnS0R7xH iR5w== X-Gm-Message-State: APjAAAUneZgybTM7xrzDIi4ivXDnLcANkTO8J27RGDMQvyc69PBBQwDZ 9fsMzew0uihJS/n1fmptMq1k7s0o X-Google-Smtp-Source: APXvYqxt5yZ0CPvOZqIdpvGiJSjvErcTNQLrAEUiWrFLtBLMyoNCrEKXeBhWzLXJzeJklkSixkBgAQ== X-Received: by 2002:ac2:5305:: with SMTP id c5mr2865740lfh.153.1554376981703; Thu, 04 Apr 2019 04:23:01 -0700 (PDT) Received: from [192.168.1.2] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id f1sm3804356ljc.73.2019.04.04.04.23.00 for (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Thu, 04 Apr 2019 04:23:00 -0700 (PDT) To: hostap@lists.infradead.org From: Topi Miettinen Subject: [PATCH] wpa_supplicant: harden systemd service Message-ID: Date: Thu, 4 Apr 2019 14:22:59 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20190404_042304_145848_B5FD7380 X-CRM114-Status: UNSURE ( 8.50 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.2 (/) X-Spam-Report: SpamAssassin version 3.4.2 on bombadil.infradead.org summary: Content analysis details: (-0.2 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:12e listed in] [list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (toiwoton[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain X-Mailman-Approved-At: Thu, 04 Apr 2019 08:23:10 -0700 X-BeenThere: hostap@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "Hostap" Errors-To: hostap-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org From f3f8511b6e23076f9b2fcdca00d5b19b4343bc29 Mon Sep 17 00:00:00 2001 From: Topi Miettinen Date: Thu, 4 Apr 2019 14:18:08 +0300 Subject: [PATCH] Harden systemd service Signed-off-by: Topi Miettinen --- .../systemd/wpa_supplicant.service.in | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/wpa_supplicant/systemd/wpa_supplicant.service.in b/wpa_supplicant/systemd/wpa_supplicant.service.in index 75a37a8cd..d70e0bc36 100644 --- a/wpa_supplicant/systemd/wpa_supplicant.service.in +++ b/wpa_supplicant/systemd/wpa_supplicant.service.in @@ -4,9 +4,28 @@ Before=network.target Wants=network.target [Service] -Type=dbus BusName=fi.w1.wpa_supplicant1 +CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_RAW ExecStart=@BINDIR@/wpa_supplicant -u +IPAddressDeny=any +LimitMEMLOCK=0 +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK AF_PACKET +RestrictNamespaces=yes +RestrictRealtime=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +TasksMax=1 +Type=dbus +UMask=0077 [Install] WantedBy=multi-user.target -- 2.20.1