From 7ca7c3c80863e022d5681d5d73e27de34cb7094d Mon Sep 17 00:00:00 2001
From: Simo Sorce <simo@redhat.com>
Date: Tue, 7 Jun 2022 18:57:25 -0400
Subject: [PATCH] Add some unit file proteciton directives

This will improve the security stance of gssproxy on systems that use
systemd.

Signed-off-by: Simo Sorce <simo@redhat.com>
---
 systemd/gssproxy.service.in | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/systemd/gssproxy.service.in b/systemd/gssproxy.service.in
index 482fa4eb..fc819dc9 100644
--- a/systemd/gssproxy.service.in
+++ b/systemd/gssproxy.service.in
@@ -13,5 +13,22 @@ Type=forking
 PIDFile=/run/gssproxy.pid
 ExecReload=/bin/kill -HUP $MAINPID
 
+ProtectSystem=full
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
+# NoNewPrivileges: when true breaks the ability to open a socket
+#   under /var/lib/gssproxy so no NoNewPrivileges
+# PrivateTmp: can't be used as it hides ccaches stored in /tmp
+# ProtectHome: blocks access to /home which may hold ccaches
+# ProtectHostname: blocks propagation of hostname on change
+#   but in some cases, when using a keytab, we may want to see hostname
+#   changes as the server will want to respond only for the system name
+# ProtectKernelTunables: blocks ability to write to proc.
+#   on startup gssproxy needs to write in proc to let nfsd know it can
+#   use the "new" gssproxy method instead of the old rpc stuff.
+
+
 [Install]
 WantedBy=multi-user.target