Comparison of systemds hardening options with firejail and vice versa.

firejail-systemd.md

https://github.com/netblue30/firejail/wiki/Comparison-of-firejail-and-systemd's-hardening-options

For net eth0 there's no equivalent in systemd directives.

For netfilter /etc/firejail/myfilter.net, similar features are IPIngressFilterPath=/IPEgressFilterPath= and more general BPFProgram=. They use BPF rather than iptables/nftables.

Yes but there are also /bin /sbin and /usr/sbin. With a unified filesystem-hirachy (/bin and /sbin are symlinks to there /usr counterparts) this is just an additional TemporaryFileSystem=/usr/sbin but without?

Yes. I think there could be also further unification where also /usr/sbin is just a symlink to /usr/bin.

I implemented ExecPaths= and NoExecPaths= in systemd PR 18273, but this has not been released yet.

This is now merged and released.

| Not Implemented | UMask=0077 |

I don't know if this is system-wide, but for single paths, isn't read-only +
noexec equivalent?

Not really, umask is applied when creating new files but read-only or noexec remount a directory tree with flags to deny writing or executing. A new umask can be also installed easily (unless prevented with seccomping) but changing mount flags would need superuser capabilities.

@topimiettinen commented on Aug 11:

I implemented ExecPaths= and NoExecPaths= in systemd PR
18273, but this has not
been released yet.

This is now merged and released.

Nice.

| Not Implemented | UMask=0077 |

I don't know if this is system-wide, but for single paths, isn't
read-only + noexec equivalent?

Not really, umask is applied when creating new files but read-only or
noexec remount a directory tree with flags to deny writing or executing. A
new umask can be also installed easily (unless prevented with seccomping) but
changing mount flags would need superuser capabilities.

I see; thanks for the explanation. For some reason I thought that the option
was actually about enforcing the permissions rather than just changing the
umask.