Am 11.10.23 um 08:03 schrieb Simon Richter:
Hi, On 10/11/23 03:22, Michael Biebl wrote:I intend to lock down rsyslog.service in Debian in one of the next uploads using the following systemd directivesCapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_CHOWN CAP_LEASE CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SYS_RESOURCE CAP_SYSLOGDoes it actually need CAP_NET_ADMIN and CAP_SYS_ADMIN? Everything else looks good to me.
The list is based on https://github.com/rsyslog/rsyslog/pull/4999#issuecomment-1313362425 - CAP_NET_ADMIN: use of setsockopt()- CAP_SYS_ADMIN: exceed /proc/sys/fs/file-max, the system-wide limit on the number of open files, in system calls that open files (e.g. accept execve), use of setns(),...
I trimmed stuff like CAP_SETGID and CAP_SETUID, which the Debian package doesn't need.
Regards, Michael
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature