hasakl tech tip
need to do some dev stuff that needs capabilities like binding to a privileged port, or managing wireguard interfaces, without using sudo (because you don't trust your program not to fuck up root access. also it's security)?
systemd-run can do it (systemd-run can do literally anything. you'd be surprised)
systemd-run --pty -S -pAmbientCapabilities=CAP_NET_ADMIN -pUser=$USER -pGroup=$USER
systemd-run creates an ephemeral unit
--pty hooks it up to the current terminal
-S starts a shell as the process
-p sets a property
AmbientCapabilities=CAP_NET_ADMIN gives the unit the CAP_NET_ADMIN capability. you may also be interested in stuff like CAP_NET_BIND_SERVICE and CAP_NET_RAW
User=$USER and Group=$USER runs it under your actual user instead of as root
@haskal I really wish capabilities and isolation were... better in general tbh
like I should be able to say "only allow this program to connect to this one domain on this one port"
@hierarchon that's what android does, it has a very complicated iptables-based network security system
@haskal yeah I guess I just wish you could apply a more mobile phone-y security model
I guess flatpak does this too?
@hierarchon well if you're talking containerization that's another possibility
put the program in its own network namespace and then write routing rules so you only forward allowed traffic out of that namespace (iptables/nftables again, or you could use iproute2 with policy based routing rules)
basically there are many ways in linux to achieve what you want,
@hierarchon actually you can use systemd-run to filter ip addresses at least
this uses _yet another_ mechanism in the kernel where cgroups can have eBPF filters on them
this will not let you filter ports (unless you write an eBPF filter program and pass it with -pIPEgressFilterPath but i assume that's plumbing work you don't want to do)
@hierarchon if you want to customize your security you're going to have to customize your security. there's no GNOME app for this yet....
@haskal systemd is so great for security, I've been writing my services with ProtectSystem and only allowing read/write to very specific folders :3
also DynamicUser when it doesn't matter permission-wise
@haskal If your program supports it, letting systemd (or another privileged program) pass in the opened socket gives even tighter control. (Example on <https://liquidat.wordpress.com/2018/01/04/howto-run-programs-as-non-root-user-on-privileged-ports-via-systemd/>).