[Pcsclite-muscle] systemd pcscd.service hardening
Ludovic Rousseau
ludovic.rousseau at gmail.com
Sun Jan 19 07:48:08 PST 2025
Hello,
I worked on hardening the systemd file pcscd.service.
The file now looks like:
[Unit]
Description=PC/SC Smart Card Daemon
Requires=pcscd.socket
Documentation=man:pcscd(8)
[Service]
ExecStart=/usr/sbin/pcscd --foreground --auto-exit $PCSCD_ARGS
ExecReload=/usr/sbin/pcscd --hotplug
EnvironmentFile=-/etc/default/pcscd
# Paths
ProtectProc=invisible
# Capabilities
CapabilityBoundingSet=
# Security
NoNewPrivileges=yes
# Process Properties
UMask=0077
# Sandboxing
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
# System Call Filtering
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
SystemCallArchitectures=native
[Install]
Also=pcscd.socket
I would like you to use this file and report any problem. In
particular I am interested by users that use non USB readers (like
serial or network) because I do not have these configurations for
testing.
The file available in the git PCSC-devel repo is pcscd.service.in
https://github.com/LudovicRousseau/PCSC-devel/blob/master/etc/pcscd.service.in
It should first be converted in pcscd.service using meson(1).
You can update/install it using something like:
$ sudo cp pcscd.service /usr/lib/systemd/system/pcscd.service
$ sudo systemctl daemon-reload
Then let systemd start pcscd (do not run pcscd by hand) and check that
everything works as before.
See https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html
The exposure level was:
$ systemd-analyze security pcscd.service
[...]
→ Overall exposure level for pcscd.service: 9.6 UNSAFE 😨
And we now have:
$ systemd-analyze security pcscd.service
[...]
→ Overall exposure level for pcscd.service: 2.1 OK 🙂
Thanks to David Fields for the initial patch
"systemd service hardening for pcscd"
https://github.com/LudovicRousseau/PCSC/issues/207
--
Dr. Ludovic Rousseau
More information about the pcsclite-muscle
mailing list