2 Commits a454f2aad6 ... 3b40f58eb6

Auteur SHA1 Bericht Datum
  Michael Buesch 3b40f58eb6 Split the daemon into network and firewall part 4 maanden geleden
  Michael Buesch a454f2aad6 Split the daemon into network and firewall part 4 maanden geleden
3 gewijzigde bestanden met toevoegingen van 5 en 10 verwijderingen
  1. 0 8
      letmein-seccomp/src/lib.rs
  2. 1 1
      letmeind/letmeind.service
  3. 4 1
      letmeind/src/main.rs

+ 0 - 8
letmein-seccomp/src/lib.rs

@@ -20,7 +20,6 @@ pub enum Allow {
     Mmap,
     Mprotect,
     UnixConnect,
-    UnixListen,
     TcpAccept,
     Read,
     Write,
@@ -89,13 +88,6 @@ pub fn seccomp_compile_for_arch(
                 rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX
                 rules.insert(libc::SYS_getsockopt, vec![]);
             }
-            Allow::UnixListen => {
-                rules.insert(libc::SYS_accept4, vec![]);
-                rules.insert(libc::SYS_bind, vec![]);
-                rules.insert(libc::SYS_listen, vec![]);
-                rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX
-                rules.insert(libc::SYS_getsockopt, vec![]);
-            }
             Allow::TcpAccept => {
                 rules.insert(libc::SYS_accept4, vec![]);
                 rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX

+ 1 - 1
letmeind/letmeind.service

@@ -7,7 +7,7 @@ StartLimitIntervalSec=0
 [Service]
 Type=notify
 NotifyAccess=main
-ExecStart=/opt/letmein/bin/letmeind --seccomp=log
+ExecStart=/opt/letmein/bin/letmeind --seccomp=kill
 ExecReload=/bin/kill -HUP $MAINPID
 StandardOutput=journal
 StandardError=journal

+ 4 - 1
letmeind/src/main.rs

@@ -78,7 +78,10 @@ struct Opts {
     #[arg(long, default_value = "false")]
     no_systemd: bool,
 
-    /// Enable Linux 'seccomp' to security harden letmein.
+    /// Enable Linux 'seccomp' to security harden letmeind.
+    ///
+    /// Enabling 'seccomp' in 'kill' mode restricts the number of syscalls
+    /// available to letmeind to just the ones that are absolutely required.
     #[arg(long, default_value = "off")]
     seccomp: SeccompOpt,
 }