Skip to content

Draft: data/NetworkManager.service: restrict the unit some more

Lubomir Rintel requested to merge lr/systemd-unit-lockdown into main

This adds some low-hanging food to improve our score with "systemd-analyze security" by one point:

Before: → Overall exposure level for NetworkManager.service: 7.8 EXPOSED 🙁

After: → Overall exposure level for NetworkManager.service: 6.8 MEDIUM 😐

Nothing particularly impactful here: we still got DAC_OVERRIDE, we still can insert loadable modules (as opposed to relying on autoload) and read user home directories. But there's a slight chance this may save our butts one day, who knows.

Merge request reports

Loading