vmihalko
commented
10 months ago In GitLab by @bluca on Aug 31, 2023, 13:56
lgtm
Open vmihalko opened 10 months ago
vmihalko
commented
10 months ago In GitLab by @bluca on Aug 31, 2023, 13:56
lgtm
vmihalko
commented
10 months ago In GitLab by @bluca on Sep 5, 2023, 23:45
As mentioned in https://gitlab.freedesktop.org/polkit/polkit/-/issues/203 I also recommend to drop IPAddressDeny=. Given PrivateNetwork= and RestrictAddressFamilies= are already used, it doesn't provide any usefulness.
vmihalko
commented
10 months ago In GitLab by @jrybar on Sep 6, 2023, 13:36
I'll investigate that.
vmihalko
commented
10 months ago In GitLab by @jrybar on Sep 6, 2023, 13:56
I know managing the tree of effect can be hard, but if it's supposed to be useless, provided PrivateNetwork and RestrictAddressFamilies are set, why does it lower the exposure level score? I don't know that part of code of systemd, but is that a reason for a report up to the systemd upstream?
vmihalko
commented
10 months ago In GitLab by @bluca on Sep 6, 2023, 13:59
You mean the output of systemd-analyze? That tool is a bit "dumb", in the sense that it doesn't understand very well how things can be combined, so don't give it too much weight on this
vmihalko
commented
10 months ago In GitLab by @jrybar on Sep 6, 2023, 14:34
That's what I'm saying. If that tool is supposed to be the key element of analysis and/or input into some sort of an audit, shouldn't it work better?
vmihalko
commented
10 months ago In GitLab by @bluca on Sep 8, 2023, 24:38
Sure, anything could be better given enough time and resources, but at the moment it is what it is
In GitLab by @jrybar on Aug 31, 2023, 12:43
Merges unit-hardening-missed-param -> master
Summary
A parameter CapabilityBoundingSet was left unassigned. Probably a mistake during the rebase of the original merge request (!30 - Harden systemd service).