Re: [RFC] locking down rsyslog.service

To: debian-devel@lists.debian.org
Subject: Re: [RFC] locking down rsyslog.service
From: Simon Richter <sjr@debian.org>
Date: Wed, 11 Oct 2023 19:59:34 +0900
Message-id: <[🔎] 87c2c5c5-62b1-49dc-a8cb-afeebf844baa@debian.org>
In-reply-to: <[🔎] f14de6da-b4dd-422d-a15f-826a5438d8a0@debian.org>
References: <[🔎] 5b8392a7-8c83-42c4-8020-aafbae94331a@debian.org> <[🔎] 209f589c-5afa-40b1-9d84-8842c4bfd0c6@debian.org> <[🔎] f14de6da-b4dd-422d-a15f-826a5438d8a0@debian.org>

Hi,

On 10/11/23 19:14, Michael Biebl wrote:

- CAP_NET_ADMIN: use of setsockopt()
- CAP_SYS_ADMIN: exceed /proc/sys/fs/file-max, the system-wide limit onthe number of open files, in system calls that open files (e.g. acceptexecve), use of setns(),...


I see, thanks!

I looked over the code quickly, it seems the only privilegedsetsockopt() calls are to set larger buffer sizes.

It may be good to lobby for these and the open file limit to be added toCAP_SYS_RESOURCE, that would allow locking it down further in the future.


   Simon

Reply to:

References:
- [RFC] locking down rsyslog.service
  - From: Michael Biebl <biebl@debian.org>
- Re: [RFC] locking down rsyslog.service
  - From: Simon Richter <sjr@debian.org>
- Re: [RFC] locking down rsyslog.service
  - From: Michael Biebl <biebl@debian.org>

Prev by Date: Re: [RFC] locking down rsyslog.service
Next by Date: Re: [RFC] locking down rsyslog.service
Previous by thread: Re: [RFC] locking down rsyslog.service
Next by thread: Re: Re: [RFC] locking down rsyslog.service
Index(es):
- Date
- Thread