$ systemd-analyze security caRepeater.service
NAME DESCRIPTION EXPOSURE
✗ PrivateNetwork= Service has access to
the host's network 0.5
✓ User=/DynamicUser= Service runs under a static
non-root user identity
✗ CapabilityBoundingSet=~CAP_SET(UID|GID|PCAP) Service may change UID/GID
identities/capabilities 0.3
✗ CapabilityBoundingSet=~CAP_SYS_ADMIN Service has administrator
privileges 0.3
✗ CapabilityBoundingSet=~CAP_SYS_PTRACE Service has ptrace() debugging
abilities 0.3
✗ RestrictAddressFamilies=~AF_(INET|INET6) Service may allocate Internet
sockets 0.3
✗ RestrictNamespaces=~CLONE_NEWUSER Service may create user
namespaces 0.3
✗ RestrictAddressFamilies=~… Service may allocate exotic
sockets 0.3
✗ CapabilityBoundingSet=~CAP_(CHOWN|FSETID|SETFCAP) Service may change file
ownership/access mode/capabilities unrestricted 0.2
✗ CapabilityBoundingSet=~CAP_(DAC_*|FOWNER|IPC_OWNER) Service may override UNIX
file/IPC permission checks 0.2
✗ CapabilityBoundingSet=~CAP_NET_ADMIN Service has network configuration
privileges 0.2
✗ CapabilityBoundingSet=~CAP_RAWIO Service has raw I/O access
0.2
✗ CapabilityBoundingSet=~CAP_SYS_MODULE Service may load kernel
modules 0.2
✗ CapabilityBoundingSet=~CAP_SYS_TIME Service processes may
change the system clock 0.2
✗ DeviceAllow= Service has no device
ACL 0.2
✗ IPAddressDeny= Service does not define
an IP address whitelist 0.2
✓ KeyringMode= Service doesn't share
key material with other services
✗ NoNewPrivileges= Service processes may
acquire new privileges 0.2
✓ NotifyAccess= Service child processes
cannot alter service state
✗ PrivateDevices= Service potentially has
access to hardware devices 0.2
✗ PrivateMounts= Service may install system
mounts 0.2
✗ PrivateTmp= Service has access to
other software's temporary files 0.2
✗ PrivateUsers= Service has access to
other users 0.2
✗ ProtectControlGroups= Service may modify to
the control group file system 0.2
✗ ProtectHome= Service has full access
to home directories 0.2
✗ ProtectKernelModules= Service may load or read
kernel modules 0.2
✗ ProtectKernelTunables= Service may alter kernel
tunables 0.2
✗ ProtectSystem= Service has full access
the OS file hierarchy 0.2
✗ RestrictAddressFamilies=~AF_PACKET Service may allocate packet
sockets 0.2
✗ RestrictSUIDSGID= Service may create SUID/SGID
files 0.2
✗ SystemCallArchitectures= Service may execute system
calls with all ABIs 0.2
✗ SystemCallFilter=~@clock Service does not filter
system calls 0.2
✗ SystemCallFilter=~@debug Service does not filter
system calls 0.2
✗ SystemCallFilter=~@module Service does not filter
system calls 0.2
✗ SystemCallFilter=~@mount Service does not filter
system calls 0.2
✗ SystemCallFilter=~@raw-io Service does not filter
system calls 0.2
✗ SystemCallFilter=~@reboot Service does not filter
system calls 0.2
✗ SystemCallFilter=~@swap Service does not filter
system calls 0.2
✗ SystemCallFilter=~@privileged Service does not filter
system calls 0.2
✗ SystemCallFilter=~@resources Service does not filter
system calls 0.2
✓ AmbientCapabilities= Service process does not
receive ambient capabilities
✗ CapabilityBoundingSet=~CAP_AUDIT_* Service has audit subsystem
access 0.1
✗ CapabilityBoundingSet=~CAP_KILL Service may send UNIX
signals to arbitrary processes 0.1
✗ CapabilityBoundingSet=~CAP_MKNOD Service may create device
nodes 0.1
✗ CapabilityBoundingSet=~CAP_NET_(BIND_SERVICE|BROADCAST|RAW) Service has elevated networking
privileges 0.1
✗ CapabilityBoundingSet=~CAP_SYSLOG Service has access to
kernel logging 0.1
✗ CapabilityBoundingSet=~CAP_SYS_(NICE|RESOURCE) Service has privileges
to change resource use parameters 0.1
✗ RestrictNamespaces=~CLONE_NEWCGROUP Service may create cgroup
namespaces 0.1
✗ RestrictNamespaces=~CLONE_NEWIPC Service may create IPC
namespaces 0.1
✗ RestrictNamespaces=~CLONE_NEWNET Service may create network
namespaces 0.1
✗ RestrictNamespaces=~CLONE_NEWNS Service may create file
system namespaces 0.1
✗ RestrictNamespaces=~CLONE_NEWPID Service may create process
namespaces 0.1
✗ RestrictRealtime= Service may acquire realtime
scheduling 0.1
✗ SystemCallFilter=~@cpu-emulation Service does not filter
system calls 0.1
✗ SystemCallFilter=~@obsolete Service does not filter
system calls 0.1
✗ RestrictAddressFamilies=~AF_NETLINK Service may allocate netlink
sockets 0.1
✗ RootDirectory=/RootImage= Service runs within the
host's root directory 0.1
✓ SupplementaryGroups= Service has no supplementary
groups
✗ CapabilityBoundingSet=~CAP_MAC_* Service may adjust SMACK
MAC 0.1
✗ CapabilityBoundingSet=~CAP_SYS_BOOT Service may issue reboot()
0.1
✓ Delegate= Service does not maintain
its own delegated control group subtree
✗ LockPersonality= Service may change ABI
personality 0.1
✗ MemoryDenyWriteExecute= Service may create writable
executable memory mappings 0.1
✗ RemoveIPC= Service user may leave
SysV IPC objects around 0.1
✗ RestrictNamespaces=~CLONE_NEWUTS Service may create hostname
namespaces 0.1
✗ UMask= Files created by service
are world-readable by default 0.1
✗ CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE Service may mark files
immutable 0.1
✗ CapabilityBoundingSet=~CAP_IPC_LOCK Service may lock memory
into RAM 0.1
✗ CapabilityBoundingSet=~CAP_SYS_CHROOT Service may issue chroot()
0.1
✗ CapabilityBoundingSet=~CAP_BLOCK_SUSPEND Service may establish
wake locks 0.1
✗ CapabilityBoundingSet=~CAP_LEASE Service may create file
leases 0.1
✗ CapabilityBoundingSet=~CAP_SYS_PACCT Service may use acct()
0.1
✗ CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG Service may issue vhangup()
0.1
✗ CapabilityBoundingSet=~CAP_WAKE_ALARM Service may program timers
that wake up the system 0.1
✗ RestrictAddressFamilies=~AF_UNIX Service may allocate local
sockets 0.1
→
Overall exposure level for caRepeater.service: 9.1 UNSAFE 😨