search

jech / babeld

The Babel routing daemon
http://www.irif.fr/~jch/software/babel/
MIT License
385 stars 92 forks source link

contrib: add example systemd unit #80

Closed mweinelt closed 3 years ago

mweinelt commented 3 years ago

This unit was developed for and has been tested on NixOS. It requires babled 1.10 and uses the skip-kernel-setup option, so for using it in this way the user must configure sysctls themselves, namly:

and then for each interface babeld is comunicating over

which replicates what babeld itself would configure.

The resulting analysis of babeld.service on systemd v247 looks like this:

  NAME                                                        DESCRIPTION                                                                    EXPOSURE
✗ PrivateNetwork=                                             Service has access to the host's network                                            0.5
✗ RestrictAddressFamilies=~AF_(INET|INET6)                    Service may allocate Internet sockets                                               0.3
✗ CapabilityBoundingSet=~CAP_NET_ADMIN                        Service has network configuration privileges                                        0.2
✗ DeviceAllow=                                                Service has a device ACL with some special devices                                  0.1
✗ IPAddressDeny=                                              Service defines IP address allow list with non-localhost entries                    0.1
✗ PrivateUsers=                                               Service has access to other users                                                   0.2
✗ AmbientCapabilities=                                        Service process receives ambient capabilities                                       0.1
✗ RestrictAddressFamilies=~AF_NETLINK                         Service may allocate netlink sockets                                                0.1
✗ RootDirectory=/RootImage=                                   Service runs within the host's root directory                                       0.1

→ Overall exposure level for babeld.service: 1.4 OK 🙂

Older systemd versions that v247 will just ignore keys they do not understand.

jech commented 3 years ago

Thanks for the contribution.

Since I don't use systemd myself, I won't be able to maintain it, so I'm not pulling it into babeld. If you create a web page with it somewhere, I'll be glad to link to it from the Babel page.