From 4339289bad67dd02025e81437a14758b8938554d Mon Sep 17 00:00:00 2001 From: CroneKorkN Date: Fri, 15 May 2026 16:44:22 +0200 Subject: [PATCH] fix(left4me): drop ProcSubset=pid from server unit too Same pattern as the web-unit fix (commit b3f...): ProcSubset=pid hides /proc/cpuinfo and /proc/sys/*. Source's tier0/cpu.cpp asserts on cpuinfo read failure; SteamAPI_Init then fails with "create pipe failed" as a downstream cascade, and srcds registers as LAN (rejecting external clients with "LAN servers are restricted to local clients"). PrivatePIDs=true (private PID namespace) remains the load-bearing peer-process isolation: no foreign PIDs visible to srcds in its own namespace. ProtectProc=invisible is the foreign-uid /proc hide. ProcSubset=pid was a defense-in-depth layer hiding kernel-introspection files (cpuinfo, meminfo, sysctls); losing it only exposes host kernel info, which is not sensitive in this threat model and is the same information any user on the host already sees. Co-Authored-By: Claude Opus 4.7 (1M context) --- bundles/left4me/metadata.py | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/bundles/left4me/metadata.py b/bundles/left4me/metadata.py index fff5204..6313d6f 100644 --- a/bundles/left4me/metadata.py +++ b/bundles/left4me/metadata.py @@ -159,7 +159,15 @@ HARDENING_COMMON = { # socket binds. HARDENING_SERVER = { **HARDENING_COMMON, - 'ProcSubset': 'pid', + # ProcSubset=pid was here but had to come out: it hides /proc/cpuinfo + # and /proc/sys/*, which breaks Source's tier0/cpu.cpp and (downstream) + # SteamAPI_Init's "create pipe" step — server then registers as LAN + # and rejects external clients with "LAN servers are restricted to + # local clients (class C)". PrivatePIDs=true (kernel-level PID + # namespace) remains the load-bearing peer-process isolation, and + # ProtectProc=invisible is the foreign-uid /proc hide. Losing + # ProcSubset=pid only exposes host kernel info (cpuinfo, meminfo, + # sysctls), which is not sensitive in this threat model. 'NoNewPrivileges': 'true', 'RestrictSUIDSGID': 'true', 'PrivateUsers': 'true',