Feature #8608
Consider using systemd's security features in NetworkManager service files
0%
Description
Subtasks
History
#1 Updated by intrigeri 2015-01-08 14:32:41
- Target version set to Tails_2.0
#2 Updated by intrigeri 2015-03-09 01:45:08
- Subject changed from Evaluate usage of systemd's security features in NetworkManager service file to Consider using systemd's security features in NetworkManager service files
- Priority changed from Normal to Low
- Type of work changed from Research to Test
Basically, there’s none. It could be worth trying to set PrivateDevices = yes, ProtectHome = yes, ProtectSystem = full and perhaps also PrivateTmp = yes. Calling this low priority, though.
#3 Updated by intrigeri 2015-07-08 13:06:25
- Assignee deleted (
intrigeri) - Target version deleted (
Tails_2.0)
This would be nice, but it’s in no way blocking Tails 2.0. Note that any work on this must be based on feature/jessie.
#4 Updated by denkxor 2018-04-18 22:00:36
Tails 3.6.2 is using ProtectSystem=true and ProtectHome=read-only out of the box. The unit-file can be found in /lib/systemd/system/network-manager.service.
I tried to add PrivateDevices=yes and PrivateTmp=yes and run systemctl daemon-reload and restart NetworkManager.service. Nothing of this produces error notifications, according to systemctl status NetworkManager is running without problems.
The normal functionality like adding a new wifi network by gui seems to work, too.
Are there special things you would expect to fail? I could test them.
I don’t know how to make this change persist across reboots, maybe some errors would occur in boot process only?
#5 Updated by denkxor 2019-11-23 20:19:25
- Feature Branch set to https://gitlab.com/denkxor/tails/tree/feature/8608-harden-NetworkManager-systemd-service
Tested the options on tails 4.1, NetworkManager seems to work normal.