Re: nftables.service hardening ideas

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Florian Westphal <fw@strlen.de>
To: Christoph Anton Mitterer <calestyo@scientia.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: nftables.service hardening ideas
Date: Tue, 28 Oct 2025 17:26:36 +0100	[thread overview]
Message-ID: <aQDuvGsDwlaiK94D@strlen.de> (raw)
In-Reply-To: <71e8f96ac2cd1ee0ab8676facb04b40870a095a1.camel@scientia.org>

Christoph Anton Mitterer <calestyo@scientia.org> wrote:
> This would be ideas about further hardening nftables.service, primarily
> using the options from systemd.exec(5).

Whats the point?  nft will exit anyway.

> which not only mounts some but the entire fs hierarchy read-only for
> the service's commands.
> I guess nft -f should never write anywhere, or does it? At least it
> seems to work.

nft -f should not write anything.

> 4. I guess nft needs no capabilities/privileges other than
> CAP_NET_ADMIN:
> > CapabilityBoundingSet=CAP_NET_ADMIN
> > AmbientCapabilities=""
> > NoNewPrivileges=yes
> 
> CapabilityBoundingSet=CAP_NET_ADMIN would supersede the =~CAP_SYS_ADMIN
> from (2) above.

CAP_NET_ADMIN is mandatory and should work as only capability.

> AmbientCapabilities="" disables all ambient capabilities, I'd blindly
> guess that nftables doesn't execve(),... but it shouldn't harm either.

It doesn't execve.

> 5. There should be no reason why nft -f needs to access stuff in /tmp
> or /var/tmp of anything else, so:
> > PrivateTmp=yes

Makes no sense to me.  nft -f won't write anything.

> 7. AFAICS, nft -f may cause modules to be loaded, but that's done
> indirectly (i.e. I guess by the kernel itself?)

nft relies on kernel module autoloading.

> So leats get a bit more exotic ;-)

Exotic? More like estoteric, this is bad.  Service file should be small and not rely
on obscure and maybe not well-tested systemd code paths.

next prev parent reply	other threads:[~2025-10-28 16:26 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-27  3:36 nftables.service hardening ideas Christoph Anton Mitterer
2025-10-28 16:26 ` Florian Westphal [this message]
2025-10-29  0:55   ` Christoph Anton Mitterer
2025-10-30 23:10     ` Florian Westphal
2025-10-30 23:59       ` Christoph Anton Mitterer
2025-10-30 23:30 ` Pablo Neira Ayuso
2025-10-30 23:59   ` Christoph Anton Mitterer

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aQDuvGsDwlaiK94D@strlen.de \
    --to=fw@strlen.de \
    --cc=calestyo@scientia.org \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.