rusty-snake/firejail-systemd.md

Last active September 8, 2021 11:49

Star () You must be signed in to star a gist
Fork () You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/rusty-snake/c6d773fc27ddde9071461e0fe4010610.js"></script>
Save rusty-snake/c6d773fc27ddde9071461e0fe4010610 to your computer and use it in GitHub Desktop.

Download ZIP

Comparison of systemds hardening options with firejail and vice versa.

Raw

firejail-systemd.md

https://github.com/netblue30/firejail/wiki/Comparison-of-firejail-and-systemd's-hardening-options

kmk3 commented Aug 10, 2021

Note: I'm not very familiar with using systemd, so I don't have much to add.

@rusty-snake commented 7 hours ago:

Ready to add this to the wiki. Any comments before doing this?

I think the side-by-side equivalents are very nice to have. It's good to know
if we are missing useful functionality compared to other projects and
vice-versa. Also, I had no idea that there were so many similarities.

Resource Limits

[...]

| Not Implemented | UMask=0077 |

I don't know if this is system-wide, but for single paths, isn't read-only +
noexec equivalent?

User/Group

[...]

| Not Implemented | RemoveIPC=yes |

I was going to comment about ipc-namespace, but now I see that it is
mentioned later with relation to PrivateIPC=yes. At first glance, it looks
like having such an option could be complementary to dbus-user none +
dbus-system none.

Copying and distribution of this file, with or without modification, are
permitted in any medium without royalty provided the copyright notice and
this notice are preserved. This file is offered as-is, without any warranty.

Nice; I think using the GNU APL makes a lot of sense for gists.

(Offtopic)

This is kind of a PR for the wiki, so I'll just leave this linked here:

netblue30/firejail#4441

topimiettinen commented Aug 11, 2021

For net eth0 there's no equivalent in systemd directives.

For netfilter /etc/firejail/myfilter.net, similar features are IPIngressFilterPath=/IPEgressFilterPath= and more general BPFProgram=. They use BPF rather than iptables/nftables.

Yes but there are also /bin /sbin and /usr/sbin. With a unified filesystem-hirachy (/bin and /sbin are symlinks to there /usr counterparts) this is just an additional TemporaryFileSystem=/usr/sbin but without?

Yes. I think there could be also further unification where also /usr/sbin is just a symlink to /usr/bin.

I implemented ExecPaths= and NoExecPaths= in systemd PR 18273, but this has not been released yet.

This is now merged and released.

| Not Implemented | UMask=0077 |

I don't know if this is system-wide, but for single paths, isn't read-only +
noexec equivalent?

Not really, umask is applied when creating new files but read-only or noexec remount a directory tree with flags to deny writing or executing. A new umask can be also installed easily (unless prevented with seccomping) but changing mount flags would need superuser capabilities.

kmk3 commented Aug 11, 2021

@topimiettinen commented on Aug 11:

I implemented ExecPaths= and NoExecPaths= in systemd PR
18273, but this has not
been released yet.

This is now merged and released.

Nice.

| Not Implemented | UMask=0077 |

I don't know if this is system-wide, but for single paths, isn't
read-only + noexec equivalent?

Not really, umask is applied when creating new files but read-only or
noexec remount a directory tree with flags to deny writing or executing. A
new umask can be also installed easily (unless prevented with seccomping) but
changing mount flags would need superuser capabilities.

I see; thanks for the explanation. For some reason I thought that the option
was actually about enforcing the permissions rather than just changing the
umask.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment