Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(firewalld): drop linux capabilities #825

Merged
merged 2 commits into from Jul 20, 2021
Merged

feat(firewalld): drop linux capabilities #825

merged 2 commits into from Jul 20, 2021

Conversation

erig0
Copy link
Collaborator

@erig0 erig0 commented Jul 20, 2021

No description provided.

@erig0
docs(README): add optional dependencies section
407681c
@erig0
feat(firewalld): drop linux capabilities
04a8b1a 
Drop capabilities to a minimal set via python3-capng. This is an
optional dependency. If the python import fails then all capabilities
are kept.
@erig0
Copy link
Collaborator Author

erig0 commented Jul 20, 2021

@mbiebl. FYI, in case you want to add this optional dependency in Debian.

@erig0 erig0 merged commit fb0532e into firewalld:master Jul 20, 2021
@mbiebl
Copy link
Contributor

mbiebl commented Aug 16, 2021

Wouldn't it be easier to just use systemd's builtin mechanisms for dropping capabilities?
This would mean no need for custom code and no 3rd party dependency (on python-capng)

@erig0
Copy link
Collaborator Author

erig0 commented Aug 16, 2021
edited

Wouldn't it be easier to just use systemd's builtin mechanisms for dropping capabilities?

I think dropping in the daemon is just as easy.

Two reasons to drop in the daemon vs systemd service definition:

  1. testsuite support and coverage
  2. support other init systems

This would mean no need for custom code and no 3rd party dependency (on python-capng)

The python dependency is optional. There is no harm in downstream changes to drop capabilities in systemd and avoid the packaging dependency on python-capng.

@mbiebl
Copy link
Contributor

mbiebl commented Aug 16, 2021

Well, changing it downstream has the downside that I need to keep the list of caps up-to-date in the .service file.

Can you give me any pointers which parts of the testsuite cover/require dropping of caps?

I also noticed, that event after installing python3-cap-ng (0.7.9) on Debian, I don't get

            log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.")

in my journal log. What am I doing wrong?

# grep INFO1 /var/log/firewalld
<empty>

@mbiebl
Copy link
Contributor

mbiebl commented Aug 16, 2021

btw, would it be possible to log this to the journal (when systemd is used)? I'm so used to the journal by now, that I find it cumbersome having to check external log files.

@erig0
Copy link
Collaborator Author

erig0 commented Aug 16, 2021

Can you give me any pointers which parts of the testsuite cover/require dropping of caps?

There are no tests specific to dropping capabilities. I meant that the entire testsuite runs with reduced capabilities. Which verifies that running with reduced capabilities actually works.

I also noticed, that event after installing python3-cap-ng (0.7.9) on Debian, I don't get

            log.info(log.INFO1, "Dropped Linux capabilities to NET_ADMIN, NET_RAW, SYS_MODULE.")

in my journal log. What am I doing wrong?

It's possible SELinux is blocking it. That was the case in Fedora.

https://bugzilla.redhat.com/show_bug.cgi?id=1985494

@erig0
Copy link
Collaborator Author

erig0 commented Aug 16, 2021

btw, would it be possible to log this to the journal (when systemd is used)? I'm so used to the journal by now, that I find it cumbersome having to check external log files.

I don't know how you'd do that. Would firewalld have to detect it's running with reduced capabilities?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@erig0 @mbiebl