diff --git a/README.md b/README.md index 69a43d4..c775866 100644 --- a/README.md +++ b/README.md @@ -75,8 +75,9 @@ The split matters: the owner home read-only. - `bangerd-root.service` is the only process that keeps elevated host capabilities, and that capability set is limited to the host-kernel - primitives banger actually uses (`CAP_CHOWN`, `CAP_SYS_ADMIN`, - `CAP_NET_ADMIN`). + primitives banger actually uses (`CAP_CHOWN`, `CAP_DAC_OVERRIDE`, + `CAP_FOWNER`, `CAP_KILL`, `CAP_MKNOD`, `CAP_NET_ADMIN`, `CAP_NET_RAW`, + `CAP_SETGID`, `CAP_SETUID`, `CAP_SYS_ADMIN`, `CAP_SYS_CHROOT`). To inspect or refresh the services: diff --git a/docs/privileges.md b/docs/privileges.md index a991da4..bef1411 100644 --- a/docs/privileges.md +++ b/docs/privileges.md @@ -137,7 +137,7 @@ the file-sync path, even if the owner edits config to try. For each running VM banger creates: -- One bridge (default `banger0`, configurable). Created on first VM +- One bridge (default `br-fc`, configurable). Created on first VM start, never deleted automatically. - One tap interface named `tap-fc-`. Created on VM start, deleted on VM stop or crash recovery. @@ -189,9 +189,10 @@ What `uninstall` does, in order: What `uninstall` does NOT do automatically: - It does not delete the bridge or any iptables rules. Stop your VMs - first (`banger vm stop --all`) so the per-VM teardown drops them. - The bridge itself is intentionally persistent — a future reinstall - reuses it. To remove it manually: `sudo ip link del banger0`. + first (`banger vm prune` or `banger vm stop ` for each VM) so + the per-VM teardown drops them. The bridge itself is intentionally + persistent — a future reinstall reuses it. To remove it manually: + `sudo ip link del br-fc`. - It does not undo `resolvectl` routing on a bridge that no longer exists; the entries are harmless if the bridge is gone. - It does not remove the owner user, the owner's home, or anything @@ -252,9 +253,10 @@ Root helper (`bangerd-root.service`): - Same hardening as above, plus `ProtectHome=yes` (no host-home visibility at all from the helper). -- `CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_NET_ADMIN CAP_NET_RAW CAP_SYS_ADMIN`. +- `CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_FOWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN CAP_NET_RAW CAP_SETGID CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT`. Only the capabilities required for tap/bridge, iptables, dmsetup, - loop devices, and Firecracker. No `CAP_SYS_BOOT`, no `CAP_SYS_PTRACE`, + loop devices, ownership fixups, device node creation, and Firecracker + process management. No `CAP_SYS_BOOT`, no `CAP_SYS_PTRACE`, no `CAP_SYS_MODULE`, no `CAP_NET_BIND_SERVICE`. - `ReadWritePaths=/var/lib/banger`.