[Pcsclite-muscle] systemd pcscd.service hardening

Ludovic Rousseau ludovic.rousseau at gmail.com
Sun Feb 2 08:47:17 PST 2025 

Hello,

I got no complaints about the use of systemd hardening.
So I guess it is OK and I will push this change in the next pcsc-lite version.

Bye

Le dim. 19 janv. 2025 à 16:48, Ludovic Rousseau
<ludovic.rousseau at gmail.com> a écrit :
>
> Hello,
>
> I worked on hardening the systemd file pcscd.service.
> The file now looks like:
>
> [Unit]
> Description=PC/SC Smart Card Daemon
> Requires=pcscd.socket
> Documentation=man:pcscd(8)
>
> [Service]
> ExecStart=/usr/sbin/pcscd --foreground --auto-exit $PCSCD_ARGS
> ExecReload=/usr/sbin/pcscd --hotplug
> EnvironmentFile=-/etc/default/pcscd
>
> # Paths
> ProtectProc=invisible
>
> # Capabilities
> CapabilityBoundingSet=
>
> # Security
> NoNewPrivileges=yes
>
> # Process Properties
> UMask=0077
>
> # Sandboxing
> ProtectSystem=strict
> ProtectHome=yes
> PrivateTmp=yes
> PrivateUsers=yes
> ProtectHostname=yes
> ProtectClock=yes
> ProtectKernelTunables=yes
> ProtectKernelModules=yes
> ProtectKernelLogs=yes
> ProtectControlGroups=yes
> RestrictNamespaces=yes
> LockPersonality=yes
> MemoryDenyWriteExecute=yes
> RestrictRealtime=yes
> RestrictSUIDSGID=yes
>
> # System Call Filtering
> SystemCallFilter=@system-service
> SystemCallFilter=~@resources @privileged
> SystemCallArchitectures=native
>
> [Install]
> Also=pcscd.socket
>
>
> I would like you to use this file and report any problem. In
> particular I am interested by users that use non USB readers (like
> serial or network) because I do not have these configurations for
> testing.
>
> The file available in the git PCSC-devel repo is pcscd.service.in
> https://github.com/LudovicRousseau/PCSC-devel/blob/master/etc/pcscd.service.in
> It should first be converted in pcscd.service using meson(1).
>
> You can update/install it using something like:
> $ sudo cp pcscd.service /usr/lib/systemd/system/pcscd.service
> $ sudo systemctl daemon-reload
> Then let systemd start pcscd (do not run pcscd by hand) and check that
> everything works as before.
>
> See https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html
>
> The exposure level was:
> $ systemd-analyze security pcscd.service
> [...]
> → Overall exposure level for pcscd.service: 9.6 UNSAFE 😨
>
> And we now have:
> $ systemd-analyze security pcscd.service
> [...]
> → Overall exposure level for pcscd.service: 2.1 OK 🙂
>
> Thanks to David Fields for the initial patch
> "systemd service hardening for pcscd"
> https://github.com/LudovicRousseau/PCSC/issues/207
>
> --
>  Dr. Ludovic Rousseau



-- 
 Dr. Ludovic Rousseau

More information about the pcsclite-muscle mailing list