]> git.ipfire.org Git - thirdparty/systemd.git/commitdiff
units: harden systemd-tpm2-swtpm.service
authorPaul Meyer <katexochen0@gmail.com>
Wed, 17 Jun 2026 16:03:55 +0000 (18:03 +0200)
committerPaul Meyer <katexochen0@gmail.com>
Thu, 25 Jun 2026 07:39:55 +0000 (09:39 +0200)
Lock down the software TPM service: restrict the runtime directory (which
holds the AES key sealing swtpm's state) to 0700, and apply the usual
sandboxing (NoNewPrivileges, MemoryDenyWriteExecute, ProtectSystem-adjacent
Protect*/Restrict* knobs, PrivateNetwork, PrivateTmp, a @system-service
syscall filter, etc.).

A few common knobs can't be used here: the service must keep CAP_SYS_ADMIN
(needed for the ioctl that creates the vtpm proxy device on /dev/vtpmx),
and it needs runtime access to the ESP and its backing block device at a
path only known at runtime, which rules out PrivateDevices=, DevicePolicy=,
ProtectSystem= and User=/DynamicUser=.

Signed-off-by: Paul Meyer <katexochen0@gmail.com>
units/systemd-tpm2-swtpm.service.in

index 5ca946248c439573d712b29ed6637f4ed822c7d0..e9127f34c909413ee3d81606e839c9f5a5cd818d 100644 (file)
@@ -18,10 +18,32 @@ After=modprobe@tpm_vtpm_proxy.service
 Before=tpm2.target sysinit.target shutdown.target
 
 [Service]
-Type=notify
-RuntimeDirectory=systemd/swtpm
+CapabilityBoundingSet=CAP_SYS_ADMIN
 ExecStart={{LIBEXECDIR}}/systemd-tpm2-swtpm
 # Write out volatile state (so that we can read it back after the initrd transition
 ExecStop=swtpm_ioctl --unix %t/systemd/swtpm/socket -v
 # Initiate graceful shutdown
 ExecStop=swtpm_ioctl --unix %t/systemd/swtpm/socket -s
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateNetwork=yes
+PrivateTmp=disconnected
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+RestrictAddressFamilies=AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RuntimeDirectory=systemd/swtpm
+RuntimeDirectoryMode=0700
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+Type=notify
+UMask=0077