[gssproxy] Harden systemd .service file

Most of the configuration options should be straightforward.

The previous version of the .service file contained a comment that
NoNewPrivileges=yes breaks the ability to open a socket under
/var/lib/gssproxy. That does not appear to be correct because ProtectClock=yes
was already set, which enables NoNewPrivileges.

Furthermore, the comment for ProtectKernelTunables also appears to be
incorrect, because it doesn't make all of /proc read-only (it's only
/proc/sys/, /sys/, /proc/sysrq-trigger, /proc/latency_stats, /proc/acpi,
/proc/timer_stats, /proc/fs and /proc/irq, see man systemd.exec(5)), so
/proc/net/rpc/use-gss-proxy is still writeable. Perhaps it was a mixup with
ProtectProc?

With this applied, the "systemd-analyze security gssproxy" score goes from 8.4
(EXPOSED) to 1.7 (OK).

Tested with nfs-kernel-server, some more testing in other scenarios might still
be necessary. Also, note that this expects all RW data to be stored under
/var/lib/gssproxy, /root, /home or /run/user.

Signed-off-by: David Härdeman <david@hardeman.nu>

Author: Alphix

systemd/gssproxy.service.in

@@ -5,30 +5,59 @@ After=syslog.target network.target
 Before=rpc-gssd.service
 
 [Service]
-StateDirectory=gssproxy/clients gssproxy/rcache
+ConfigurationDirectory=gssproxy
+StateDirectory=gssproxy gssproxy/clients gssproxy/rcache
 Environment=KRB5RCACHEDIR=/var/lib/gssproxy/rcache
 ExecStart=@sbindir@/gssproxy -i
 # This can be changed to notify-reload and ExecReload= can be removed once
 #   systemd 253 is common enough
 Type=notify
 ExecReload=/bin/kill -HUP $MAINPID
 
-ProtectSystem=full
-ProtectClock=true
-ProtectKernelLogs=true
-ProtectControlGroups=true
-RestrictRealtime=true
-# NoNewPrivileges: when true breaks the ability to open a socket
-#   under /var/lib/gssproxy so no NoNewPrivileges
-# PrivateTmp: can't be used as it hides ccaches stored in /tmp
-# ProtectHome: blocks access to /home which may hold ccaches
-# ProtectHostname: blocks propagation of hostname on change
-#   but in some cases, when using a keytab, we may want to see hostname
-#   changes as the server will want to respond only for the system name
-# ProtectKernelTunables: blocks ability to write to proc.
-#   on startup gssproxy needs to write in proc to let nfsd know it can
-#   use the "new" gssproxy method instead of the old rpc stuff.
-
+ProtectSystem=strict
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateIPC=yes
+# Blocks access to /home which may hold ccaches, also breaks euid mappings
+PrivateUsers=no
+# For now, read-writeable ccaches in /tmp, /root, /home and /run/user are
+# allowed, if you know that no such ccaches are used on your system, you might
+# want to override these defaults with a drop-in (see man systemd.unit(5))
+# like this (stored in e.g. /etc/systemd/system/gssproxy.d/override.conf):
+#   [Service]
+#   PrivateTmp=yes
+#   ProtectHome=tmpfs
+#   ReadWritePaths=
+PrivateTmp=no
+ProtectHome=no
+ReadWritePaths=/root /home /run/user
+# Blocks propagation of hostname on change but when using a keytab, we want to
+# see hostname changes as the server will want to respond only for that name
+ProtectHostname=no
+ProtectClock=yes
+# Does *not* block rw access to /proc/net/rpc/use-gss-proxy
+ProtectKernelTunables=yes
+# Blocks access to /proc/net/rpc/use-gss-proxy and executable name matching
+ProtectProc=default
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_LOCAL
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+PrivateMounts=yes
+# Stricter version:
+# SystemCallFilter=@default @basic-io @file-system @io-event @network-io @signal @ipc @process madvise umask uname
+SystemCallFilter=@system-service
+SystemCallErrorNumber=EPERM
+SystemCallArchitectures=native
+NoNewPrivileges=yes
+CapabilityBoundingSet=CAP_DAC_OVERRIDE
+IPAddressDeny=any
+UMask=0177
 
 [Install]
 WantedBy=multi-user.target