[usb-moded] Systemd sandboxing. JB#44449

Usb-moded is running as root, with full capability set. Define and use minimal set of capabilities required by usb-moded to operate correctly on all supported devices. Document further sandboxing actions that should be made, but are not possible with the systemd version that is currently available in sailfish. Signed-off-by: Simo Piiroinen <simo.piiroinen@jollamobile.com>
JamiKettunen · Jan 28, 2020 · df3179c · df3179c
1 parent fdb25ac
commit df3179c
Show file tree

Hide file tree

Showing 3 changed files with 87 additions and 6 deletions.
diff --git a/rpm/usb-moded.spec b/rpm/usb-moded.spec
@@ -321,6 +321,7 @@ install -m 644 docs/usb_moded-doc.txt %{buildroot}/%{_docdir}/%{name}-%{version}
 install -m 644 -D debian/manpage.1 %{buildroot}/%{_mandir}/man1/usb-moded.1
 install -m 644 -D debian/usb_moded.conf %{buildroot}/%{_sysconfdir}/dbus-1/system.d/usb_moded.conf
 install -m 644 -D %{SOURCE1} %{buildroot}/%{_sysconfdir}/modprobe.d/usb_moded.conf
+install -d %{buildroot}/%{_sysconfdir}
 install -d %{buildroot}/%{_sysconfdir}/usb-moded
 install -d %{buildroot}/%{_sysconfdir}/usb-moded/run
 install -d %{buildroot}/%{_sysconfdir}/usb-moded/run-diag
@@ -333,9 +334,9 @@ install -m 644 -D config/run-diag/* %{buildroot}/%{_sysconfdir}/usb-moded/run-di
 install -m 644 -D config/mass-storage-jolla.ini %{buildroot}/%{_sysconfdir}/usb-moded/
 install -d %{buildroot}/%{_sharedstatedir}/usb-moded
 
+ln -sf /run/usb-moded/udhcpd.conf %{buildroot}/%{_sysconfdir}/udhcpd.conf
 
 touch %{buildroot}/%{_sysconfdir}/modprobe.d/g_ether.conf
-touch %{buildroot}/%{_sysconfdir}/udhcpd.conf
 #systemd stuff
 install -d $RPM_BUILD_ROOT/lib/systemd/system/basic.target.wants/
 install -m 644 -D systemd/%{name}.service %{buildroot}/lib/systemd/system/%{name}.service
@@ -362,16 +363,16 @@ systemctl daemon-reload || :
 %dir %{_sysconfdir}/usb-moded
 %dir %{_sysconfdir}/usb-moded/dyn-modes
 %dir %{_sysconfdir}/usb-moded/run
-%config %{_sysconfdir}/dbus-1/system.d/usb_moded.conf
-%config %{_sysconfdir}/modprobe.d/usb_moded.conf
+%{_sysconfdir}/udhcpd.conf
+%{_sysconfdir}/dbus-1/system.d/usb_moded.conf
+%{_sysconfdir}/modprobe.d/usb_moded.conf
 %ghost %config %{_sysconfdir}/modprobe.d/g_ether.conf
-%ghost %{_sysconfdir}/udhcpd.conf
 %ghost %{_sysconfdir}/usb-moded/usb-moded.ini
 %{_sbindir}/usb_moded
 %{_sbindir}/usb_moded_util
 /lib/systemd/system/%{name}.service
 /lib/systemd/system/basic.target.wants/%{name}.service
-%config %{_sysconfdir}/tmpfiles.d/usb-moded.conf
+%{_sysconfdir}/tmpfiles.d/usb-moded.conf
 %dir %{_sharedstatedir}/usb-moded
 %ghost %{_sharedstatedir}/usb-moded/usb-moded.ini
 

diff --git a/systemd/usb-moded.conf b/systemd/usb-moded.conf
@@ -1 +1 @@
-d /run/usb-moded/ 0644 root root
+d /run/usb-moded/ 0755 root root
diff --git a/systemd/usb-moded.service b/systemd/usb-moded.service
@@ -15,5 +15,85 @@ ExecStart=/usr/sbin/usb_moded --systemd --force-syslog $USB_MODED_ARGS $USB_MODE
 Restart=always
 ExecReload=/bin/kill -HUP $MAINPID
 
+## Sandboxing
+
+# What we want to have is:
+#
+# /                  - readonly
+# /tmp               - private writable
+# /config            - shared writable (configfs gadget setup)
+# /sys               - shared writable (android-usb gadget setup, wakelocks)
+# /dev               - shared writable (mounting/unmounting mtp fs)
+# /run/usb-moded     - shared writable (udhcpd config file)
+# /var/lib/usb-moded - writable (usb-moded runtime settings data)
+#
+# Seems that attempting to use high level settings
+# like ProtectSystem, PrivateTmp, ... leads to problems
+# like mtp mount done from usb-moded not being visible
+# to mtp daemon
+
+ProtectSystem=no
+PrivateDevices=no
+PrivateTmp=no
+
+# Could use low level settings, but they are not
+# supported by our version of systemd ...
+
+#ReadOnlyPaths=/
+#ReadWritePaths=/tmp
+#ReadWritePaths=/sys
+#ReadWritePaths=/dev
+#ReadWritePaths=/config
+#ReadWritePaths=/run/usb-moded
+#ReadWritePaths=/var/lib/usb-moded
+
+# Usb-moded needs to start/stop user sessions services
+# when activating/deactivating mtp mode -> must retain
+# access to user data and home directories
+
+ProtectHome=no
+
+# a) The list of supplementary groups usb-moded needs to
+#    function properly varies from one device to another.
+# b) If any of the listed supplementary groups do not
+#    exist on the system, systemd refuses to execute
+#
+# Combining (a) and (b) makes SupplementaryGroups useless,
+# and we need to rely on CAP_DAC_OVERRIDE
+
+#SupplementaryGroups=system wakelock ...
+
+################################################################################################################################################################################################################################################################
+
+## Security
+
+# NoNewPrivileges does not work in Jolla Phone
+#NoNewPrivileges=yes
+
+# Note: Due to old systemd version: CapabilityBoundingSet merging
+#       does not work - all caps must be listed on a single line.
+
+# CAP_BLOCK_SUSPEND
+# -> wakelocking
+
+# CAP_NET_ADMIN
+# CAP_NET_RAW
+# -> network setup via ifconfig subprocess etc
+
+# CAP_SETUID
+# CAP_SETGID
+# -> running systemctl-user -> uid/gid change
+
+# CAP_SYS_RESOURCE
+# -> running systemctl-user -> scheduling config
+
+# CAP_DAC_OVERRIDE
+# -> working around problems with SupplementaryGroups=
+
+# CAP_SYS_ADMIN
+# -> mount/unmount mtp device
+
+CapabilityBoundingSet=CAP_BLOCK_SUSPEND CAP_NET_ADMIN CAP_NET_RAW CAP_SETUID CAP_SETGID CAP_SYS_RESOURCE CAP_DAC_OVERRIDE CAP_SYS_ADMIN
+
 [Install]
 WantedBy=basic.target
Original file line number	Diff line number	Diff line change
		@@ -1 +1 @@
		d /run/usb-moded/ 0644 root root
		d /run/usb-moded/ 0755 root root