Harden Routinator systemd service file

[Koenvh1]

Relating to #1037, this hardens the systemd service file.

I based myself on the capabilities of the lowest systemd version we currently support:

• RHEL 8 runs on systemd 239
• Ubuntu 20.04 runs on systemd 245
• Debian 11 runs on systemd 247

The score for the current service file on systemd 239 is the following:

  NAME                               DESCRIPTION                        EXPOSURE
✗ PrivateNetwork=                    Service has access to the host's …      0.5
✓ User=/DynamicUser=                 Service runs under a static non-r…         
✓ CapabilityBoundingSet=~CAP_SET(UI… Service cannot change UID/GID ide…         
✓ CapabilityBoundingSet=~CAP_SYS_AD… Service has no administrator priv…         
✓ CapabilityBoundingSet=~CAP_SYS_PT… Service has no ptrace() debugging…         
✗ RestrictAddressFamilies=~AF_(INET… Service may allocate Internet soc…      0.3
✓ RestrictNamespaces=~CLONE_NEWUSER  Service cannot create user namesp…         
✓ RestrictAddressFamilies=~…         Service cannot allocate exotic so…         
✓ CapabilityBoundingSet=~CAP_(CHOWN… Service cannot change file owners…         
✓ CapabilityBoundingSet=~CAP_(DAC_*… Service cannot override UNIX file…         
✓ CapabilityBoundingSet=~CAP_NET_AD… Service has no network configurat…         
✓ CapabilityBoundingSet=~CAP_RAWIO   Service has no raw I/O access              
✓ CapabilityBoundingSet=~CAP_SYS_MO… Service cannot load kernel modules         
✓ CapabilityBoundingSet=~CAP_SYS_TI… Service processes cannot change t…         
✓ DeviceAllow=                       Service has a minimal device ACL           
✗ IPAddressDeny=                     Service does not define an IP add…      0.2
✓ KeyringMode=                       Service doesn't share key materia…         
✓ NoNewPrivileges=                   Service processes cannot acquire …         
✓ NotifyAccess=                      Service child processes cannot al…         
✓ PrivateDevices=                    Service has no access to hardware…         
✓ PrivateMounts=                     Service cannot install system mou…         
✓ PrivateTmp=                        Service has no access to other so…         
✗ PrivateUsers=                      Service has access to other users       0.2
✓ ProtectControlGroups=              Service cannot modify the control…         
✓ ProtectHome=                       Service has no access to home dir…         
✓ ProtectKernelModules=              Service cannot load or read kerne…         
✓ ProtectKernelTunables=             Service cannot alter kernel tunab…         
✓ ProtectSystem=                     Service has strict read-only acce…         
✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet so…         
✗ RestrictSUIDSGID=                  Service may create SUID/SGID files      0.2
✓ SystemCallArchitectures=           Service may execute system calls …         
✓ SystemCallFilter=~@clock           System call whitelist defined for…         
✗ SystemCallFilter=~@debug           System call whitelist defined for…      0.2
✓ SystemCallFilter=~@module          System call whitelist defined for…         
✓ SystemCallFilter=~@mount           System call whitelist defined for…         
✓ SystemCallFilter=~@raw-io          System call whitelist defined for…         
✓ SystemCallFilter=~@reboot          System call whitelist defined for…         
✓ SystemCallFilter=~@swap            System call whitelist defined for…         
✗ SystemCallFilter=~@privileged      System call whitelist defined for…      0.2
✗ SystemCallFilter=~@resources       System call whitelist defined for…      0.2
✗ AmbientCapabilities=               Service process receives ambient …      0.1
✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem ac…         
✓ CapabilityBoundingSet=~CAP_KILL    Service cannot send UNIX signals …         
✓ CapabilityBoundingSet=~CAP_MKNOD   Service cannot create device nodes         
✗ CapabilityBoundingSet=~CAP_NET_(B… Service has elevated networking p…      0.1
✓ CapabilityBoundingSet=~CAP_SYSLOG  Service has no access to kernel l…         
✓ CapabilityBoundingSet=~CAP_SYS_(N… Service has no privileges to chan…         
✓ RestrictNamespaces=~CLONE_NEWCGRO… Service cannot create cgroup name…         
✓ RestrictNamespaces=~CLONE_NEWIPC   Service cannot create IPC namespa…         
✓ RestrictNamespaces=~CLONE_NEWNET   Service cannot create network nam…         
✓ RestrictNamespaces=~CLONE_NEWNS    Service cannot create file system…         
✓ RestrictNamespaces=~CLONE_NEWPID   Service cannot create process nam…         
✓ RestrictRealtime=                  Service realtime scheduling acces…         
✓ SystemCallFilter=~@cpu-emulation   System call whitelist defined for…         
✓ SystemCallFilter=~@obsolete        System call whitelist defined for…         
✓ RestrictAddressFamilies=~AF_NETLI… Service cannot allocate netlink s…         
✗ RootDirectory=/RootImage=          Service runs within the host's ro…      0.1
✓ SupplementaryGroups=               Service has no supplementary grou…         
✓ CapabilityBoundingSet=~CAP_MAC_*   Service cannot adjust SMACK MAC            
✓ CapabilityBoundingSet=~CAP_SYS_BO… Service cannot issue reboot()              
✓ Delegate=                          Service does not maintain its own…         
✓ LockPersonality=                   Service cannot change ABI persona…         
✓ MemoryDenyWriteExecute=            Service cannot create writable ex…         
✗ RemoveIPC=                         Service user may leave SysV IPC o…      0.1
✓ RestrictNamespaces=~CLONE_NEWUTS   Service cannot create hostname na…         
✗ UMask=                             Files created by service are worl…      0.1
✓ CapabilityBoundingSet=~CAP_LINUX_… Service cannot mark files immutab…         
✓ CapabilityBoundingSet=~CAP_IPC_LO… Service cannot lock memory into R…         
✓ CapabilityBoundingSet=~CAP_SYS_CH… Service cannot issue chroot()              
✓ CapabilityBoundingSet=~CAP_BLOCK_… Service cannot establish wake loc…         
✓ CapabilityBoundingSet=~CAP_LEASE   Service cannot create file leases          
✓ CapabilityBoundingSet=~CAP_SYS_PA… Service cannot use acct()                  
✓ CapabilityBoundingSet=~CAP_SYS_TT… Service cannot issue vhangup()             
✓ CapabilityBoundingSet=~CAP_WAKE_A… Service cannot program timers tha…         
✗ RestrictAddressFamilies=~AF_UNIX   Service may allocate local sockets      0.1

→ Overall exposure level for routinator.service: 2.0 OK 🙂

The three settings I figured I could add without issue are:

1. PrivateUsers
2. RemoveIPC
3. RestrictSUIDSGID (this claims to be added in 242, but seems already available in 239?)

I have yet to come up with a way to properly test this.

[partim]

Should we maybe comment each of the entries (including the existing ones)?