-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[sys-auth/polkit] Harden systemd service configuration #933
base: main
Are you sure you want to change the base?
Conversation
The best place to submit this is to the upstream polkit project, the risk for us to break things is too high because we don't have good test coverage. |
Build action triggered: https://github.com/flatcar/scripts/actions/runs/5290391882 |
@pothos Seems like a good time to do it. The last commit was trying to do precisely this, albeit to a lesser extent. https://gitlab.freedesktop.org/polkit/polkit/-/commit/25eef55dddbf0b4d635fbdd508710b496be80d9c |
Then it's a good idea to align with upstream, by either updating polkit to a version that has the updated file or if that is not available yet - updating the file ourselves. |
Upstream's hardening is not as extensive as mine, so I'm going to get this hardening merged upstream |
Ah, so it's a mix of backport plus changes, then great, less things to submit upstream. They will know best what settings are valid and what aren't. |
By the way, we're interested in this sort of thing upstream too (although ideally send it to "real" upstream first): https://archives.gentoo.org/gentoo-dev/message/42e5ea98d30c7c10c103cca0b6a2bafb. |
@thesamesam Hi! It's great to hear that you're interested in this as well. I've sent this patch to the relevant maintainer of Polkit at Red Hat, and they have shown great enthusiasm about the benefits of these options. They mentioned that Polkit's security analysis using They then informed me that this was already on their list, but they're currently bogged down with merge requests. While Gentoo would like to stick as close to upstream as possible, would you consider adding this to Gentoo already? IMO that ultimately it's the distribution's responsibility to provide the packages, and if the benefits are worth it, I'd say let's go ahead and include it. This way, all the users of Gentoo, including the Flatcar team at Microsoft, can benefit from it when syncing with Gentoo |
@krishjainx Hi! Yeah, that sounds good to me. Just make sure you include a link to any relevant upstream MRs/bugs in the patch. |
[sys-auth/polkit] Harden systemd service configuration
This pull request introduces hardened systemd service configuration for the polkit service, resulting in a significant reduction in the exposure level from 9.6 to 1.9, as determined by the
systemd-analyze security
command.Changes Made
How to Use
I have already modified the ebuild to include the necessary changes for installing the additional hardening measures. Simply follow the regular installation process to benefit from the enhanced security.
Testing Done
Checklist
changelog/
directory to reflect the changes made (user-facing change, bug fix, security fix, update).Please review the changes and provide any feedback or suggestions for improvement.