[Pcsclite-muscle] systemd pcscd.service hardening

[Ran Benita]

On Sun, Jan 19, 2025, at 17:48, Ludovic Rousseau wrote:
> Hello,
>
> I worked on hardening the systemd file pcscd.service.
> The file now looks like:

This is an excellent improvement.

> [Unit]
> Description=PC/SC Smart Card Daemon
> Requires=pcscd.socket
> Documentation=man:pcscd(8)
>
> [Service]
> ExecStart=/usr/sbin/pcscd --foreground --auto-exit $PCSCD_ARGS
> ExecReload=/usr/sbin/pcscd --hotplug
> EnvironmentFile=-/etc/default/pcscd
>
> # Paths
> ProtectProc=invisible
>
> # Capabilities
> CapabilityBoundingSet=
>
> # Security
> NoNewPrivileges=yes
>
> # Process Properties
> UMask=0077
>
> # Sandboxing
> ProtectSystem=strict
> ProtectHome=yes
> PrivateTmp=yes
> PrivateUsers=yes
> ProtectHostname=yes
> ProtectClock=yes
> ProtectKernelTunables=yes
> ProtectKernelModules=yes
> ProtectKernelLogs=yes
> ProtectControlGroups=yes
> RestrictNamespaces=yes
> LockPersonality=yes
> MemoryDenyWriteExecute=yes
> RestrictRealtime=yes
> RestrictSUIDSGID=yes
>
> # System Call Filtering
> SystemCallFilter=@system-service
> SystemCallFilter=~@resources @privileged

In my experience, removing @privileged isn't worth it, there's too much code making occasional use
of e.g. fchown, and debugging seccomp kills is not easy for ordinary users.

> SystemCallArchitectures=native
>
> [Install]
> Also=pcscd.socket

The largest sandboxing omission is of course - running as a non-root user. As long as pcscd is running
as root, it'd be very hard to avoid sandbox escapes. What are the reasons that pcscd needs root?

The biggest one I know of is access to (USB) devices, but I think the IFD handlers can install udev
rules giving the pcscd user (and only the pcscd user) access to their relevant devices (and only their
relevant devices).

Are there other reasons?

(I did a web search now, and found your old blog post about this:
https://ludovicrousseau.blogspot.com/2010/12/configuring-your-system-for-pcscd-auto.html
but this is no longer present, so I guess it didn't work out?)

Ran