earlyoom.service: redirect stderr and more handening

[oxalica]

1. Redirect stderr to the journal so that informational messages are not silently lost.
2. Add more hardening options as possible, based on systemd-analyze security earlyoom.service. Most of them are copied from systemd-oomd.service.

[oxalica]

Not really sure whether we should put these protection rules here or let distros add them. systemd can fail to start the service if some rules failed to apply.

[rfjakob]

Could you post the result of

systemd-analyze security earlyoom.service

that you get after the change?

On Sun, 25 Jun 2023, 11:33 oxalica, @.***> wrote:

@oxalica https://github.com/oxalica requested your review on: #294 https://github.com/rfjakob/earlyoom/pull/294 earlyoom.service: redirect stderr and more handening.

— Reply to this email directly, view it on GitHub https://github.com/rfjakob/earlyoom/pull/294#event-9629248660, or unsubscribe https://github.com/notifications/unsubscribe-auth/AACGA74J7ILHP5RBLECD3W3XNAAYLANCNFSM6AAAAAAZJ4GYMA . You are receiving this because your review was requested.Message ID: @.***>

[oxalica]

Could you post the result of systemd-analyze security earlyoom.service that you get after the change?

Before: 8.2 EXPOSED

``` NAME DESCRIPTION EXPOSURE ✓ RemoveIPC= Service user cannot leave SysV IPC objects around ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✓ User=/DynamicUser= Service runs under a transient non-root user identity ✗ CapabilityBoundingSet=~CAP_SYS_TIME Service processes may change the system clock 0.2 ✓ NoNewPrivileges= Service processes cannot acquire new privileges ✗ AmbientCapabilities= Service process receives ambient capabilities 0.1 ✗ PrivateDevices= Service potentially has access to hardware devices 0.2 ✗ ProtectClock= Service may write to the hardware clock or system clock 0.2 ✗ CapabilityBoundingSet=~CAP_SYS_PACCT Service may use acct() 0.1 ✗ CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to arbitrary processes 0.1 ✗ ProtectKernelLogs= Service may read from or write to the kernel log ring buffer 0.2 ✗ CapabilityBoundingSet=~CAP_WAKE_ALARM Service may program timers that wake up the system 0.1 ✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service may override UNIX file/IPC permission checks 0.2 ✗ ProtectControlGroups= Service may modify the control group file system 0.2 ✗ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service may mark files immutable 0.1 ✗ CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory into RAM 0.1 ✗ ProtectKernelModules= Service may load or read kernel modules 0.2 ✗ CapabilityBoundingSet=~CAP_SYS_MODULE Service may load kernel modules 0.2 ✗ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service may issue vhangup() 0.1 ✗ CapabilityBoundingSet=~CAP_SYS_BOOT Service may issue reboot() 0.1 ✗ CapabilityBoundingSet=~CAP_SYS_CHROOT Service may issue chroot() 0.1 ✗ SystemCallArchitectures= Service may execute system calls with all ABIs 0.2 ✗ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service may establish wake locks 0.1 ✗ MemoryDenyWriteExecute= Service may create writable executable memory mappings 0.1 ✗ RestrictNamespaces=~user Service may create user namespaces 0.3 ✗ RestrictNamespaces=~pid Service may create process namespaces 0.1 ✗ RestrictNamespaces=~net Service may create network namespaces 0.1 ✗ RestrictNamespaces=~uts Service may create hostname namespaces 0.1 ✗ RestrictNamespaces=~mnt Service may create file system namespaces 0.1 ✗ CapabilityBoundingSet=~CAP_LEASE Service may create file leases 0.1 ✗ CapabilityBoundingSet=~CAP_MKNOD Service may create device nodes 0.1 ✗ RestrictNamespaces=~cgroup Service may create cgroup namespaces 0.1 ✗ RestrictNamespaces=~ipc Service may create IPC namespaces 0.1 ✗ ProtectHostname= Service may change system host/domainname 0.1 ✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file ownership/access mode/capabilities unrestricted 0.2 ✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID identities/capabilities 0.3 ✗ LockPersonality= Service may change ABI personality 0.1 ✗ ProtectKernelTunables= Service may alter kernel tunables 0.2 ✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet sockets 0.2 ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 ✗ RestrictAddressFamilies=~… Service may allocate exotic sockets 0.3 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✗ CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK MAC 0.1 ✗ RestrictRealtime= Service may acquire realtime scheduling 0.1 ✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy ✗ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has raw I/O access 0.2 ✗ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging abilities 0.3 ✗ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has privileges to change resource use parameters 0.1 ✓ SupplementaryGroups= Service has no supplementary groups ✗ DeviceAllow= Service has no device ACL 0.2 ✓ PrivateTmp= Service has no access to other software's temporary files ✓ ProtectHome= Service has no access to home directories ✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration privileges 0.2 ✗ ProtectProc= Service has full access to process tree (/proc hidepid=) 0.2 ✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1 ✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking privileges 0.1 ✗ CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem access 0.1 ✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator privileges 0.3 ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ PrivateUsers= Service has access to other users 0.2 ✗ CapabilityBoundingSet=~CAP_SYSLOG Service has access to kernel logging 0.1 ✓ KeyringMode= Service doesn't share key material with other services ✓ Delegate= Service does not maintain its own delegated control group subtree ✗ SystemCallFilter=~@clock Service does not filter system calls 0.2 ✗ SystemCallFilter=~@cpu-emulation Service does not filter system calls 0.1 ✗ SystemCallFilter=~@debug Service does not filter system calls 0.2 ✗ SystemCallFilter=~@module Service does not filter system calls 0.2 ✗ SystemCallFilter=~@mount Service does not filter system calls 0.2 ✗ SystemCallFilter=~@obsolete Service does not filter system calls 0.1 ✗ SystemCallFilter=~@privileged Service does not filter system calls 0.2 ✗ SystemCallFilter=~@raw-io Service does not filter system calls 0.2 ✗ SystemCallFilter=~@reboot Service does not filter system calls 0.2 ✗ SystemCallFilter=~@resources Service does not filter system calls 0.2 ✗ SystemCallFilter=~@swap Service does not filter system calls 0.2 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✓ NotifyAccess= Service child processes cannot alter service state ✓ PrivateMounts= Service cannot install system mounts ✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted ✗ UMask= Files created by service are world-readable by default 0.1 → Overall exposure level for earlyoom.service: 8.2 EXPOSED 🙁 ```

After: 0.7 SAFE

``` NAME DESCRIPTION EXPOSURE ✓ SystemCallFilter=~@swap System call allow list defined for service, and @swap is not included ✓ SystemCallFilter=~@resources System call allow list defined for service, and @resources is not included ✓ SystemCallFilter=~@reboot System call allow list defined for service, and @reboot is not included ✓ SystemCallFilter=~@raw-io System call allow list defined for service, and @raw-io is not included ✓ SystemCallFilter=~@privileged System call allow list defined for service, and @privileged is not included ✓ SystemCallFilter=~@obsolete System call allow list defined for service, and @obsolete is not included ✓ SystemCallFilter=~@mount System call allow list defined for service, and @mount is not included ✓ SystemCallFilter=~@module System call allow list defined for service, and @module is not included ✓ SystemCallFilter=~@debug System call allow list defined for service, and @debug is not included ✓ SystemCallFilter=~@cpu-emulation System call allow list defined for service, and @cpu-emulation is not included ✓ SystemCallFilter=~@clock System call allow list defined for service, and @clock is not included ✓ RemoveIPC= Service user cannot leave SysV IPC objects around ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✓ User=/DynamicUser= Service runs under a transient non-root user identity ✓ RestrictRealtime= Service realtime scheduling access is restricted ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the system clock ✓ NoNewPrivileges= Service processes cannot acquire new privileges ✗ AmbientCapabilities= Service process receives ambient capabilities 0.1 ✗ CapabilityBoundingSet=~CAP_KILL Service may send UNIX signals to arbitrary processes 0.1 ✗ CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory into RAM 0.1 ✓ SystemCallArchitectures= Service may execute system calls only with native ABI ✗ MemoryDenyWriteExecute= Service may create writable executable memory mappings 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 ✓ ProtectSystem= Service has strict read-only access to the OS file hierarchy ✓ SupplementaryGroups= Service has no supplementary groups ✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access ✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging abilities ✓ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has no privileges to change resource use parameters ✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration privileges ✓ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has no elevated networking privileges ✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access ✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privileges ✓ PrivateNetwork= Service has no access to the host's network ✓ PrivateTmp= Service has no access to other software's temporary files ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logging ✓ ProtectHome= Service has no access to home directories ✓ PrivateDevices= Service has no access to hardware devices ✗ ProtectProc= Service has full access to process tree (/proc hidepid=) 0.2 ✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1 ✗ PrivateUsers= Service has access to other users 0.2 ✗ DeviceAllow= Service has a device ACL with some special devices: char-rtc:r 0.1 ✓ KeyringMode= Service doesn't share key material with other services ✓ Delegate= Service does not maintain its own delegated control group subtree ✓ NotifyAccess= Service child processes cannot alter service state ✓ ProtectClock= Service cannot write to the hardware clock or system clock ✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() ✓ ProtectKernelLogs= Service cannot read from or write to the kernel log ring buffer ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that wake up the system ✓ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service cannot override UNIX file/IPC permission checks ✓ ProtectControlGroups= Service cannot modify the control group file system ✓ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service cannot mark files immutable ✓ ProtectKernelModules= Service cannot load or read kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service cannot issue vhangup() ✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() ✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() ✓ PrivateMounts= Service cannot install system mounts ✓ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service cannot establish wake locks ✓ RestrictNamespaces=~user Service cannot create user namespaces ✓ RestrictNamespaces=~pid Service cannot create process namespaces ✓ RestrictNamespaces=~net Service cannot create network namespaces ✓ RestrictNamespaces=~uts Service cannot create hostname namespaces ✓ RestrictNamespaces=~mnt Service cannot create file system namespaces ✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes ✓ RestrictNamespaces=~cgroup Service cannot create cgroup namespaces ✓ RestrictNamespaces=~ipc Service cannot create IPC namespaces ✓ ProtectHostname= Service cannot change system host/domainname ✓ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service cannot change file ownership/access mode/capabilities ✓ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service cannot change UID/GID identities/capabilities ✓ LockPersonality= Service cannot change ABI personality ✓ ProtectKernelTunables= Service cannot alter kernel tunables (/proc/sys, …) ✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet sockets ✓ RestrictAddressFamilies=~AF_NETLINK Service cannot allocate netlink sockets ✓ RestrictAddressFamilies=~… Service cannot allocate exotic sockets ✓ RestrictAddressFamilies=~AF_(INET|INET6) Service cannot allocate Internet sockets ✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC ✓ IPAddressDeny= Service blocks all IP address ranges ✓ RestrictSUIDSGID= SUID/SGID file creation by service is restricted ✗ UMask= Files created by service are world-readable by default 0.1 → Overall exposure level for earlyoom.service: 0.7 SAFE 😀 ```

[rfjakob]

Merged, thanks!