blob: d58ca16d3a3f36c25a8b88b4cd6218e8ccd1e8b6 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
From a96b8f414ad01865b585689e51e324c99ab4ad71 Mon Sep 17 00:00:00 2001
From: Jared Van Bortel <cebtenzzre@gmail.com>
Date: Sun, 15 Feb 2026 22:11:44 -0500
Subject: [PATCH 5/6] systemd: drop sudo and harden pia-reset-tunnel service
Remove the sudo privilege drop (the service needs root to write
networkd configs and manipulate interfaces). Add filesystem,
kernel, privilege, and syscall hardening directives.
Co-authored-by: Cursor <cursoragent@cursor.com>
---
systemd/system/pia-reset-tunnel@.service | 36 +++++++++++++++++++++++-
1 file changed, 35 insertions(+), 1 deletion(-)
diff --git a/systemd/system/pia-reset-tunnel@.service b/systemd/system/pia-reset-tunnel@.service
index bd8ab7a..5963fef 100644
--- a/systemd/system/pia-reset-tunnel@.service
+++ b/systemd/system/pia-reset-tunnel@.service
@@ -5,9 +5,10 @@ ConditionPathIsDirectory=/var/cache/pia
ConditionPathExists=/etc/pia.conf
[Service]
+Group=pia
EnvironmentFile=/etc/pia.conf
Type=oneshot
-ExecStart=/usr/bin/sudo -u pia /usr/bin/pia-setup-tunnel \
+ExecStart=/usr/bin/pia-setup-tunnel \
--netdev-template /etc/pia-tools/%I.netdev.tmpl \
--network-template /etc/pia-tools/%I.network.tmpl \
--region $PIA_REGION --username $PIA_USERNAME --password $PIA_PASSWORD --ifname %I
@@ -18,3 +19,36 @@ ExecStartPost=/usr/bin/networkctl reconfigure %I
ExecStartPost=/usr/bin/networkctl up %I
ExecStartPost=/usr/bin/sleep 10
ExecStartPost=-/usr/bin/pia-portforward --ifname %I $RTORRENT $TRANSMISSION
+
+# Filesystem
+ProtectSystem=strict
+ReadWritePaths=/etc/systemd/network /var/cache/pia
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+
+# Kernel
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+
+# Privileges
+NoNewPrivileges=true
+RestrictSUIDSGID=true
+LockPersonality=true
+RemoveIPC=true
+UMask=0002
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_CHOWN
+
+# Misc
+ProtectClock=true
+ProtectHostname=true
+ProtectProc=invisible
+ProcSubset=pid
+RestrictRealtime=true
+RestrictNamespaces=true
+MemoryDenyWriteExecute=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @swap @resources
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
--
2.53.0
|