archive
/
tailscale
mirror of https://github.com/tailscale/tailscale/
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

tailscaled.service: Lock down clock and /dev (#1071)

Browse Source 
Research in issue #1063 uncovered why tailscaled would fail with
ProtectClock enabled (it implicitly enabled DevicePolicy=closed).

This knowledge in turn also opens the door for locking down /dev
further, e.g. explicitly setting DevicePolicy=strict (instead of
closed), and making /dev private for the unit.

Additional possible future (or downstream) lockdown that can be done
is setting `PrivateDevices=true` (with `BindPaths=/dev/net/`), however,
systemd 233 or later is required for this, and tailscaled currently need
to work for systemd down to version 215.

Closes https://github.com/tailscale/tailscale/issues/1063

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
pull/957/head
Frederik “Freso” S. Olesen 4 years ago committed by Brad Fitzpatrick
parent b5129dadfd
commit 83fccf9fe5
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File

6
cmd/tailscaled/tailscaled.service
Unescape Escape View File

@ -20,9 +20,15 @@ CacheDirectory=tailscale
CacheDirectoryMode=0750 CacheDirectoryMode=0750
Type=notify Type=notify
DeviceAllow=/dev/net/tun
DeviceAllow=/dev/null
DeviceAllow=/dev/random
DeviceAllow=/dev/urandom
DevicePolicy=strict
LockPersonality=true LockPersonality=true
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
PrivateTmp=true PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true ProtectControlGroups=true
ProtectHome=true ProtectHome=true
ProtectKernelTunables=true ProtectKernelTunables=true

Write Preview
Loading…
Cancel
Save