tailscale/cmd/tailscaled
Frederik “Freso” S. Olesen 83fccf9fe5 tailscaled.service: Lock down clock and /dev (#1071)
Research in issue #1063 uncovered why tailscaled would fail with
ProtectClock enabled (it implicitly enabled DevicePolicy=closed).

This knowledge in turn also opens the door for locking down /dev
further, e.g. explicitly setting DevicePolicy=strict (instead of
closed), and making /dev private for the unit.

Additional possible future (or downstream) lockdown that can be done
is setting `PrivateDevices=true` (with `BindPaths=/dev/net/`), however,
systemd 233 or later is required for this, and tailscaled currently need
to work for systemd down to version 215.

Closes https://github.com/tailscale/tailscale/issues/1063

Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com>
2021-01-07 10:18:55 -08:00
..
depaware.txt wgkey: new package 2020-12-30 17:33:02 -08:00
tailscaled.defaults cmd/tailscaled: rename relaynode reference in defaults file comment 2020-03-13 14:38:04 -07:00
tailscaled.go cmd/tailscaled, logpolicy, logtail: support log levels 2020-12-21 12:59:33 -08:00
tailscaled.service tailscaled.service: Lock down clock and /dev (#1071) 2021-01-07 10:18:55 -08:00