Hardened service:<ul><li>runs as a dedicated user with minimal set of permissions (see caveats),</li><li>restricts daemon configuration socket access to dedicated user group (you can grant access to it with <code>users.users."&lt;user&gt;".extraGroups = [ netbird-‹name› ]</code>),</li></ul>Even though the local system resources access is restricted:<ul><li><code>CAP_NET_RAW</code>, <code>CAP_NET_ADMIN</code> and <code>CAP_BPF</code> still give unlimited network manipulation possibilites,</li><li>older kernels don't have <code>CAP_BPF</code> and use <code>CAP_SYS_ADMIN</code> instead,</li></ul>Known security features that are not (yet) integrated into the module:<ul><li>2024-02-14: <code>rosenpass</code> is an experimental feature configurable solely through <code>--enable-rosenpass</code> flag on the <code>netbird up</code> command, see <a href="https://docs.netbird.io/how-to/enable-post-quantum-cryptography" rel="nofollow">the docs</a>.</li></ul>

services.netbird.tunnels.<name>.hardened

Hardened service:runs as a dedicated user with minimal set of permissions (see caveats),restricts …

Related