Since v2021.5.0 home-assistant uses the ifaddr library in the zeroconf component to enumerate network interfaces via netlink. Since discovery is all over the place lets allow AF_NETLINK unconditionally. It also relies on pyroute2 now, which additionally tries to access files in /proc/net, so we relax ProtectProc a bit by default as well. This leaves us with these options unsecured: ✗ PrivateNetwork= Service has access to the host's network 0.5 ✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet sockets 0.3 ✗ DeviceAllow= Service has a device ACL with some special devices 0.1 ✗ IPAddressDeny= Service does not define an IP address allow list 0.2 ✗ PrivateDevices= Service potentially has access to hardware devices 0.2 ✗ PrivateUsers= Service has access to other users 0.2 ✗ SystemCallFilter=~@resources System call allow list defined for service, and @resources is included (e.g. ioprio_set is allowed) 0.2 ✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink sockets 0.1 ✗ RootDirectory=/RootImage= Service runs within the host's root directory 0.1 ✗ SupplementaryGroups= Service runs with supplementary groups 0.1 ✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local sockets 0.1 ✗ ProcSubset= Service has full access to non-process /proc files (/proc subset=) 0.1 → Overall exposure level for home-assistant.service: 1.6 OK 🙂wip/yesman
parent
3bab9a19ad
commit
24adc01e2e
Loading…
Reference in new issue