Avoiding CVE-2016-8655 with systemd
Just a quick note: on recent versions of systemd it is relatively easy to block the vulnerability described in CVE-2016-8655 for individual services.
Since systemd release v211 there's an option
RestrictAddressFamilies=
for service unit files which takes away the right to create sockets of
specific address families for processes of the service. In your unit
file, add RestrictAddressFamilies=~AF_PACKET
to the [Service]
section to make AF_PACKET
unavailable to it (i.e. a blacklist),
which is sufficient to close the attack path. Safer of course is a
whitelist of address families whch you can define by dropping the ~
character from the assignment. Here's a trivial example:
…
[Service]
ExecStart=/usr/bin/mydaemon
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
…
This restricts access to socket families, so that the service may
access only AF_INET
, AF_INET6
or AF_UNIX
sockets, which is
usually the right, minimal set for most system daemons. (AF_INET
is
the low-level name for the IPv4 address family, AF_INET6
for the
IPv6 address family, and AF_UNIX
for local UNIX socket IPC).
Starting with systemd v232 we added RestrictAddressFamilies=
to all
of systemd's own unit files, always with the minimal set of socket
address families appropriate.
With the upcoming v233 release we'll provide a second method for
blocking this vulnerability. Using
RestrictNamespaces=
it is possible to limit which types of Linux namespaces a service may
get access to. Use RestrictNamespaces=yes
to prohibit access to any
kind of namespace, or set RestrictNamespaces=net ipc
(or similar) to
restrict access to a specific set (in this case: network and IPC
namespaces). Given that user namespaces have been a major source of
security vulnerabilities in the past months it's probably a good idea
to block namespaces on all services which don't need them (which is
probably most of them).
Of course, ideally, distributions such as Fedora, as well as upstream developers would turn on the various sandboxing settings systemd provides like these ones by default, since they know best which kind of address families or namespaces a specific daemon needs.