Project

General

Profile

Feature #8608

Consider using systemd's security features in NetworkManager service files

Added by intrigeri almost 5 years ago. Updated 19 days ago.

Status:
Confirmed
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
01/08/2015
Due date:
% Done:

0%

Feature Branch:
https://gitlab.com/denkxor/tails/tree/feature/8608-harden-NetworkManager-systemd-service
Type of work:
Test
Blueprint:
Starter:
Affected tool:

History

#1 Updated by intrigeri almost 5 years ago

  • Target version set to Tails_2.0

#2 Updated by intrigeri almost 5 years ago

  • Subject changed from Evaluate usage of systemd's security features in NetworkManager service file to Consider using systemd's security features in NetworkManager service files
  • Priority changed from Normal to Low
  • Type of work changed from Research to Test

Basically, there's none. It could be worth trying to set PrivateDevices = yes, ProtectHome = yes, ProtectSystem = full and perhaps also PrivateTmp = yes. Calling this low priority, though.

#3 Updated by intrigeri over 4 years ago

  • Assignee deleted (intrigeri)
  • Target version deleted (Tails_2.0)

This would be nice, but it's in no way blocking Tails 2.0. Note that any work on this must be based on feature/jessie.

#4 Updated by denkxor over 1 year ago

Tails 3.6.2 is using ProtectSystem=true and ProtectHome=read-only out of the box. The unit-file can be found in /lib/systemd/system/network-manager.service.
I tried to add PrivateDevices=yes and PrivateTmp=yes and run systemctl daemon-reload and restart NetworkManager.service. Nothing of this produces error notifications, according to systemctl status NetworkManager is running without problems.
The normal functionality like adding a new wifi network by gui seems to work, too.
Are there special things you would expect to fail? I could test them.
I don't know how to make this change persist across reboots, maybe some errors would occur in boot process only?

#5 Updated by denkxor 19 days ago

  • Feature Branch set to https://gitlab.com/denkxor/tails/tree/feature/8608-harden-NetworkManager-systemd-service

Tested the options on tails 4.1, NetworkManager seems to work normal.

Also available in: Atom PDF