Eddie-elevated.service hardened systemd profile

[Stack of computer parts 9]

I was bored and wrote this hardened systemd profile if you are using eddie with the eddie-elevated.service which is created when you check "Settings>General>Dont ask elevation every run"
One downside to doing it this way is you are giving elevated privileges to eddie which could be exploited.

I tested this on Debian 11 only, using Wireguard, hummingbird, and OpenVPN so some tweaks may have to be made if you use Arch btw. (I think the only one that matters is the "ReadWritePaths" option needing to be set to /run and not /etc, but there could be others). I assume most systemd distros should be similar.

Use to view the results of systemd's security audit of itself

systemd-analyze security

to view a detailed list of eddie-elevated.service:

systemd-analyze security eddie-elevated.service

...or really any other service you are interested in.

eddie-elevated.service (and most systemd services) show up with a bad score of 9.6 and a sadface. With this profile it gets it down to 3.8 for hummingbird and 2.5 for Wireguard. It does this by explicitly allowing and denying access to specific functions and file locations, similar to any other jail or sandbox.

Just make a folder called eddie-elevated.service.d containing a file called hardening.conf in /etc/systemd/system (or wherever for your distro) to make your edits. When you are done run the following

systemctl daemon-reload
systemctl restart eddie-elevated.service

and start up eddie. It should work and be a little more secure.

I am sure this systemd process can be further hardened but this should be a good first draft. Perhaps with more eyes on it it can be further improved.

eddie-elevated.service.d/hardening.conf

[Service]

CapabilityBoundingSet=~ALL
CapabilityBoundingSet=CAP_SYS_PTRACE CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW

## WireGuard ##
## Wireguard can be locked down further than hummingbird,
## if using it uncomment below and comment out the hummingird lines
#DevicePolicy=closed
#RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
#RestrictAddressFamilies=~AF_UNIX AF_LOCAL AF_PACKET AF_KEY AF_AX25 AF_IPX AF_X25 AF_APPLETALK AF_DECnet AF_KCM AF_XDP AF_IB AF_CAN AF_MPLS A>
#ReadWritePaths= /etc
## Self note, maybe need to look at AF_UNIX AF_LOCAL this explicit deny is untested
#PrivateDevices=yes
#ProtectHome=yes
#ProtectSystem=strict
#ProtectClock=yes
##/Wireguard ##

## Hummingbird or OpenVPN##
## If using either, uncomment these lines and comment out the wireguard selections
#RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX AF_LOCAL
#RestrictAddressFamilies=~AF_PACKET AF_KEY AF_AX25 AF_IPX AF_X25 AF_APPLETALK AF_DECnet AF_KCM AF_XDP AF_IB AF_CAN AF_MPLS AF_TIPC AF_BLUETOOT>
## If hummingbird is installed in the home directory ##
#ProtectHome=read-only
##/Hummingbird or OpenVPN##

RestrictRealtime=yes
RestrictSUIDSGID=yes
RestrictNamespaces=yes

PrivateTmp=yes

SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @swap @privileged @resources @obsolete @cpu-emulation
SystemCallArchitectures=native

ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectHostname=yes
ProtectControlGroups=yes
ProtectProc=invisible

NoNewPrivileges=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes


##Enabling these will further sandbox eddie but will require entering your root password every time you start, tested only on wireguard
##CAP_SYS_PTRACE
##PrivateNetwork=yes
##PrivateUsers=true

I will be doing a firejail profile for eddie-ui next. Unless someone else has already done it.