letmein-seccomp/src/lib.rs

@@ -20,7 +20,6 @@ pub enum Allow {
     Mmap,
     Mprotect,
     UnixConnect,
-    UnixListen,
     TcpAccept,
     Read,
     Write,
@@ -89,13 +88,6 @@ pub fn seccomp_compile_for_arch(
                 rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX
                 rules.insert(libc::SYS_getsockopt, vec![]);
             }
-            Allow::UnixListen => {
-                rules.insert(libc::SYS_accept4, vec![]);
-                rules.insert(libc::SYS_bind, vec![]);
-                rules.insert(libc::SYS_listen, vec![]);
-                rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX
-                rules.insert(libc::SYS_getsockopt, vec![]);
-            }
             Allow::TcpAccept => {
                 rules.insert(libc::SYS_accept4, vec![]);
                 rules.insert(libc::SYS_socket, vec![]); //TODO: Restrict to AF_UNIX

letmeind/letmeind.service

@@ -7,7 +7,7 @@ StartLimitIntervalSec=0
 [Service]
 Type=notify
 NotifyAccess=main
-ExecStart=/opt/letmein/bin/letmeind --seccomp=log
+ExecStart=/opt/letmein/bin/letmeind --seccomp=kill
 ExecReload=/bin/kill -HUP $MAINPID
 StandardOutput=journal
 StandardError=journal

letmeind/src/main.rs

@@ -78,7 +78,10 @@ struct Opts {
     #[arg(long, default_value = "false")]
     no_systemd: bool,
 
-    /// Enable Linux 'seccomp' to security harden letmein.
+    /// Enable Linux 'seccomp' to security harden letmeind.
+    ///
+    /// Enabling 'seccomp' in 'kill' mode restricts the number of syscalls
+    /// available to letmeind to just the ones that are absolutely required.
     #[arg(long, default_value = "off")]
     seccomp: SeccompOpt,
 }