[sys-auth/polkit] Harden systemd service configuration

[krishjainx]

[sys-auth/polkit] Harden systemd service configuration

This pull request introduces hardened systemd service configuration for the polkit service, resulting in a significant reduction in the exposure level from 9.6 to 1.9, as determined by the systemd-analyze security command.

Changes Made

• Added hardening measures utilizing systemd features to enhance the security of the polkit service.

How to Use

I have already modified the ebuild to include the necessary changes for installing the additional hardening measures. Simply follow the regular installation process to benefit from the enhanced security.

Testing Done

• Analyzed the polkit service using systemd-analyze to ensure the effectiveness of the hardening measures.
• Conducted testing to verify that the polkit service functions as expected after implementing the changes.
• Examined logs

Checklist

• Added appropriate changelog entries in the respective changelog/ directory to reflect the changes made (user-facing change, bug fix, security fix, update).

Please review the changes and provide any feedback or suggestions for improvement.

[pothos]

The best place to submit this is to the upstream polkit project, the risk for us to break things is too high because we don't have good test coverage.

[github-actions]

Build action triggered: https://github.com/flatcar/scripts/actions/runs/5290391882

[krishjainx]

@pothos Seems like a good time to do it. The last commit was trying to do precisely this, albeit to a lesser extent.

https://gitlab.freedesktop.org/polkit/polkit/-/commit/25eef55dddbf0b4d635fbdd508710b496be80d9c

[jepio]

Then it's a good idea to align with upstream, by either updating polkit to a version that has the updated file or if that is not available yet - updating the file ourselves.

[krishjainx]

Upstream's hardening is not as extensive as mine, so I'm going to get this hardening merged upstream

[pothos]

Ah, so it's a mix of backport plus changes, then great, less things to submit upstream. They will know best what settings are valid and what aren't.
That said, I don't see much benefit of any hardening because once you take over the polkit daemon you control the permission granting and can grant malicious actions outside of the service sandbox (simple example: pkexec id will run the process as root outside of the service sandbox and only query polkit for the permission check).

[thesamesam]

By the way, we're interested in this sort of thing upstream too (although ideally send it to "real" upstream first): https://archives.gentoo.org/gentoo-dev/message/42e5ea98d30c7c10c103cca0b6a2bafb.

[krishjainx]

@thesamesam Hi! It's great to hear that you're interested in this as well. I've sent this patch to the relevant maintainer of Polkit at Red Hat, and they have shown great enthusiasm about the benefits of these options. They mentioned that Polkit's security analysis using systemd-analyze security would be satisfactory for them after implementing this patch.

They then informed me that this was already on their list, but they're currently bogged down with merge requests. While Gentoo would like to stick as close to upstream as possible, would you consider adding this to Gentoo already? IMO that ultimately it's the distribution's responsibility to provide the packages, and if the benefits are worth it, I'd say let's go ahead and include it. This way, all the users of Gentoo, including the Flatcar team at Microsoft, can benefit from it when syncing with Gentoo

[thesamesam]

@krishjainx Hi! Yeah, that sounds good to me. Just make sure you include a link to any relevant upstream MRs/bugs in the patch.