Bug 96725

Summary: systemd service hardening
Product: ModemManager Reporter: Craig <candrews>
Component: generalAssignee: ModemManager bug user <modemmanager>
Status: RESOLVED DUPLICATE QA Contact:
Severity: normal    
Priority: medium CC: candrews
Version: unspecified   
Hardware: Other   
OS: Linux (All)   
Whiteboard:
i915 platform: i915 features:

Description Craig 2016-06-29 14:13:43 UTC 
The modem manager systemd service https://cgit.freedesktop.org/ModemManager/ModemManager/tree/data/org.freedesktop.ModemManager1.service.in would benefit from hardening.

I suggest that these lines be added to the service:

PrivateTmp=true
ProtectSystem=full
NoNewPrivileges=true
ProtectHome=true
CapabilityBoundingSet= should be set, but unfortunately I don't know to what value, and I don't have a modem to actually test with to confirm.

see https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Comment 1 Aleksander Morgado 2016-10-24 11:18:02 UTC 
Hey Craig,

Thanks for the report. I'm going to set this bug as duplicate of a newer one, just because that one already has a suggested patch I can apply :) Looking at the differences between your suggestion and the list suggested in the new patch, I just see ProtectSystem being different (full vs true), which I don't think it's an issue anyway because MM doesn't use /etc.

*** This bug has been marked as a duplicate of bug 98296 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.