Fabre

#1094314 gpsd: should use systemd security features #1094314

Package:: gpsd

Source:: gpsd

Description:: Global Positioning System - daemon

Submitter:: Russell Coker

Date:: 2025-01-27 03:21:02 UTC

Severity:: normal

Tags:

#1094314#5

Date:: 2025-01-27 03:18:19 UTC

From:

To:

I tested the following systemd security settings and found them to allow normal
operation on my system while providing less exposure to the system in the case
of security issues.

[Service]
SystemCallFilter=~@cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap
UMask=077
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_FOWNER CAP_FSETID CAP_SETGID CAP_SETUID CAP_SYS_NICE CAP_SYS_TIME CAP_SYS_TTY_CONFIG
ProtectSystem=full
ProtectKernelModules=false
RestrictSUIDSGID=false
NoNewPrivileges=true
RestrictNamespaces=true
ProtectKernelTunables=true
MemoryDenyWriteExecute=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
PrivateTmp=true
ProtectControlGroups=true
PrivateDevices=false
ProtectClock=false
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_PACKET AF_NETLINK

LockPersonality=true
SystemCallArchitectures=native

#1094314 gpsd: should use systemd security features #1094314

Just Reply to ...

Reply to submitter ...

Send control command (Silently)

Set Architecture Tags (Silently)