Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
``` $ systemd-analyze --no-pager security ldddns.service NAME DESCRIPTION EXPOSURE ✓ PrivateNetwork= Service has no access to the host's … ✓ User=/DynamicUser= Service runs under a transient non-r… ✓ CapabilityBoundingSet=~CAP_SET(UID|G… Service cannot change UID/GID identi… ✓ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has no administrator privile… ✓ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has no ptrace() debugging ab… ✓ RestrictAddressFamilies=~AF_(INET|IN… Service cannot allocate Internet soc… ✓ RestrictNamespaces=~CLONE_NEWUSER Service cannot create user namespaces ✓ RestrictAddressFamilies=~… Service cannot allocate exotic socke… ✓ CapabilityBoundingSet=~CAP_(CHOWN|FS… Service cannot change file ownership… ✓ CapabilityBoundingSet=~CAP_(DAC_*|FO… Service cannot override UNIX file/IP… ✓ CapabilityBoundingSet=~CAP_NET_ADMIN Service has no network configuration… ✓ CapabilityBoundingSet=~CAP_SYS_MODULE Service cannot load kernel modules ✓ CapabilityBoundingSet=~CAP_SYS_RAWIO Service has no raw I/O access ✓ CapabilityBoundingSet=~CAP_SYS_TIME Service processes cannot change the … ✗ DeviceAllow= Service has a device ACL with some s… 0.1 ✓ IPAddressDeny= Service blocks all IP address ranges ✓ KeyringMode= Service doesn't share key material w… ✓ NoNewPrivileges= Service processes cannot acquire new… ✓ NotifyAccess= Service child processes cannot alter… ✓ PrivateDevices= Service has no access to hardware de… ✓ PrivateMounts= Service cannot install system mounts ✓ PrivateTmp= Service has no access to other softw… ✓ PrivateUsers= Service does not have access to othe… ✓ ProtectClock= Service cannot write to the hardware… ✓ ProtectControlGroups= Service cannot modify the control gr… ✓ ProtectHome= Service has no access to home direct… ✓ ProtectKernelLogs= Service cannot read from or write to… ✓ ProtectKernelModules= Service cannot load or read kernel m… ✓ ProtectKernelTunables= Service cannot alter kernel tunables… ✓ ProtectSystem= Service has strict read-only access … ✓ RestrictAddressFamilies=~AF_PACKET Service cannot allocate packet socke… ✓ RestrictSUIDSGID= SUID/SGID file creation by service i… ✓ SystemCallArchitectures= Service may execute system calls onl… ✓ SystemCallFilter=~@clock System call allow list defined for s… ✓ SystemCallFilter=~@debug System call allow list defined for s… ✓ SystemCallFilter=~@module System call allow list defined for s… ✓ SystemCallFilter=~@mount System call allow list defined for s… ✓ SystemCallFilter=~@raw-io System call allow list defined for s… ✓ SystemCallFilter=~@reboot System call allow list defined for s… ✓ SystemCallFilter=~@swap System call allow list defined for s… ✗ SystemCallFilter=~@PRIVILEGED System call allow list defined for s… 0.2 ✗ SystemCallFilter=~@resources System call allow list defined for s… 0.2 ✓ AmbientCapabilities= Service process does not receive amb… ✓ CapabilityBoundingSet=~CAP_AUDIT_* Service has no audit subsystem access ✓ CapabilityBoundingSet=~CAP_KILL Service cannot send UNIX signals to … ✓ CapabilityBoundingSet=~CAP_MKNOD Service cannot create device nodes ✓ CapabilityBoundingSet=~CAP_NET_(BIND… Service has no elevated networking p… ✓ CapabilityBoundingSet=~CAP_SYSLOG Service has no access to kernel logg… ✓ CapabilityBoundingSet=~CAP_SYS_(NICE… Service has no privileges to change … ✓ RestrictNamespaces=~CLONE_NEWCGROUP Service cannot create cgroup namespa… ✓ RestrictNamespaces=~CLONE_NEWIPC Service cannot create IPC namespaces ✓ RestrictNamespaces=~CLONE_NEWNET Service cannot create network namesp… ✓ RestrictNamespaces=~CLONE_NEWNS Service cannot create file system na… ✓ RestrictNamespaces=~CLONE_NEWPID Service cannot create process namesp… ✓ RestrictRealtime= Service realtime scheduling access i… ✓ SystemCallFilter=~@cpu-emulation System call allow list defined for s… ✓ SystemCallFilter=~@obsolete System call allow list defined for s… ✓ RestrictAddressFamilies=~AF_NETLINK Service cannot allocate netlink sock… ✗ RootDirectory=/RootImage= Service runs within the host's root … 0.1 ✗ SupplementaryGroups= Service runs with supplementary grou… 0.1 ✓ CapabilityBoundingSet=~CAP_MAC_* Service cannot adjust SMACK MAC ✓ CapabilityBoundingSet=~CAP_SYS_BOOT Service cannot issue reboot() ✓ Delegate= Service does not maintain its own de… ✓ LockPersonality= Service cannot change ABI personality ✓ MemoryDenyWriteExecute= Service cannot create writable execu… ✓ RemoveIPC= Service user cannot leave SysV IPC o… ✓ RestrictNamespaces=~CLONE_NEWUTS Service cannot create hostname names… ✓ UMask= Files created by service are accessi… ✓ CapabilityBoundingSet=~CAP_LINUX_IMM… Service cannot mark files immutable ✓ CapabilityBoundingSet=~CAP_IPC_LOCK Service cannot lock memory into RAM ✓ CapabilityBoundingSet=~CAP_SYS_CHROOT Service cannot issue chroot() ✓ ProtectHostname= Service cannot change system host/do… ✓ CapabilityBoundingSet=~CAP_BLOCK_SUS… Service cannot establish wake locks ✓ CapabilityBoundingSet=~CAP_LEASE Service cannot create file leases ✓ CapabilityBoundingSet=~CAP_SYS_PACCT Service cannot use acct() ✓ CapabilityBoundingSet=~CAP_SYS_TTY_C… Service cannot issue vhangup() ✓ CapabilityBoundingSet=~CAP_WAKE_ALARM Service cannot program timers that w… ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 Overall exposure level for ldddns.service: 0.4 SAFE 😀 ```
- Loading branch information
