Open vmihalko opened 10 months ago
In GitLab by @bluca on Aug 31, 2023, 13:56
lgtm
In GitLab by @bluca on Sep 5, 2023, 23:45
As mentioned in https://gitlab.freedesktop.org/polkit/polkit/-/issues/203 I also recommend to drop IPAddressDeny=. Given PrivateNetwork= and RestrictAddressFamilies= are already used, it doesn't provide any usefulness.
In GitLab by @jrybar on Sep 6, 2023, 13:36
I'll investigate that.
In GitLab by @jrybar on Sep 6, 2023, 13:56
I know managing the tree of effect can be hard, but if it's supposed to be useless, provided PrivateNetwork and RestrictAddressFamilies are set, why does it lower the exposure level score? I don't know that part of code of systemd, but is that a reason for a report up to the systemd upstream?
In GitLab by @bluca on Sep 6, 2023, 13:59
You mean the output of systemd-analyze? That tool is a bit "dumb", in the sense that it doesn't understand very well how things can be combined, so don't give it too much weight on this
In GitLab by @jrybar on Sep 6, 2023, 14:34
That's what I'm saying. If that tool is supposed to be the key element of analysis and/or input into some sort of an audit, shouldn't it work better?
In GitLab by @bluca on Sep 8, 2023, 24:38
Sure, anything could be better given enough time and resources, but at the moment it is what it is
In GitLab by @jrybar on Aug 31, 2023, 12:43
Merges unit-hardening-missed-param -> master
Summary
A parameter CapabilityBoundingSet was left unassigned. Probably a mistake during the rebase of the original merge request (!30 - Harden systemd service).