mirror of
https://github.com/tailscale/tailscale.git
synced 2025-01-07 08:07:42 +00:00
83fccf9fe5
Research in issue #1063 uncovered why tailscaled would fail with ProtectClock enabled (it implicitly enabled DevicePolicy=closed). This knowledge in turn also opens the door for locking down /dev further, e.g. explicitly setting DevicePolicy=strict (instead of closed), and making /dev private for the unit. Additional possible future (or downstream) lockdown that can be done is setting `PrivateDevices=true` (with `BindPaths=/dev/net/`), however, systemd 233 or later is required for this, and tailscaled currently need to work for systemd down to version 215. Closes https://github.com/tailscale/tailscale/issues/1063 Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
42 lines
991 B
Desktop File
42 lines
991 B
Desktop File
[Unit]
|
|
Description=Tailscale node agent
|
|
Documentation=https://tailscale.com/kb/
|
|
Wants=network-pre.target
|
|
After=network-pre.target
|
|
|
|
[Service]
|
|
EnvironmentFile=/etc/default/tailscaled
|
|
ExecStartPre=/usr/sbin/tailscaled --cleanup
|
|
ExecStart=/usr/sbin/tailscaled --state=/var/lib/tailscale/tailscaled.state --socket=/run/tailscale/tailscaled.sock --port $PORT $FLAGS
|
|
ExecStopPost=/usr/sbin/tailscaled --cleanup
|
|
|
|
Restart=on-failure
|
|
|
|
RuntimeDirectory=tailscale
|
|
RuntimeDirectoryMode=0755
|
|
StateDirectory=tailscale
|
|
StateDirectoryMode=0750
|
|
CacheDirectory=tailscale
|
|
CacheDirectoryMode=0750
|
|
Type=notify
|
|
|
|
DeviceAllow=/dev/net/tun
|
|
DeviceAllow=/dev/null
|
|
DeviceAllow=/dev/random
|
|
DeviceAllow=/dev/urandom
|
|
DevicePolicy=strict
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
PrivateTmp=true
|
|
ProtectClock=true
|
|
ProtectControlGroups=true
|
|
ProtectHome=true
|
|
ProtectKernelTunables=true
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/etc/
|
|
RestrictSUIDSGID=true
|
|
SystemCallArchitectures=native
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|