units: set LockPersonality= for all our long-running services (#6819)
Let's lock things down. Also, using it is the only way how to properly test this to the fullest extent.
This commit is contained in:
parent
71b514298b
commit
bff8f2543b
2
TODO
2
TODO
|
@ -27,8 +27,6 @@ Features:
|
||||||
* dissect: when we discover squashfs, don't claim we had a "writable" partition
|
* dissect: when we discover squashfs, don't claim we had a "writable" partition
|
||||||
in systemd-dissect
|
in systemd-dissect
|
||||||
|
|
||||||
* set LockPersonality= on all our services
|
|
||||||
|
|
||||||
* Add AddUser= setting to unit files, similar to DynamicUser=1 which however
|
* Add AddUser= setting to unit files, similar to DynamicUser=1 which however
|
||||||
creates a static, persistent user rather than a dynamic, transient user. We
|
creates a static, persistent user rather than a dynamic, transient user. We
|
||||||
can leverage code from sysusers.d for this.
|
can leverage code from sysusers.d for this.
|
||||||
|
|
|
@ -33,4 +33,5 @@ RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
StateDirectory=systemd/coredump
|
StateDirectory=systemd/coredump
|
||||||
|
|
|
@ -29,4 +29,5 @@ RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
ReadWritePaths=/etc
|
ReadWritePaths=/etc
|
||||||
|
|
|
@ -23,3 +23,4 @@ RestrictNamespaces=net
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
|
|
|
@ -25,6 +25,7 @@ RestrictRealtime=yes
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
|
|
||||||
# If there are many split upjournal files we need a lot of fds to
|
# If there are many split upjournal files we need a lot of fds to
|
||||||
# access them all and combine
|
# access them all and combine
|
||||||
|
|
|
@ -27,6 +27,7 @@ RestrictRealtime=yes
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
LogsDirectory=journal/remote
|
LogsDirectory=journal/remote
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|
|
@ -28,6 +28,7 @@ RestrictRealtime=yes
|
||||||
RestrictNamespaces=yes
|
RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
StateDirectory=systemd/journal-upload
|
StateDirectory=systemd/journal-upload
|
||||||
|
|
||||||
# If there are many split up journal files we need a lot of fds to
|
# If there are many split up journal files we need a lot of fds to
|
||||||
|
|
|
@ -29,6 +29,7 @@ RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
|
|
||||||
# Increase the default a bit in order to allow many simultaneous
|
# Increase the default a bit in order to allow many simultaneous
|
||||||
# services being run since we keep one fd open per service. Also, when
|
# services being run since we keep one fd open per service. Also, when
|
||||||
|
|
|
@ -29,4 +29,5 @@ RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
ReadWritePaths=/etc
|
ReadWritePaths=/etc
|
||||||
|
|
|
@ -30,6 +30,7 @@ RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
FileDescriptorStoreMax=512
|
FileDescriptorStoreMax=512
|
||||||
|
|
||||||
# Increase the default a bit in order to allow many simultaneous
|
# Increase the default a bit in order to allow many simultaneous
|
||||||
|
|
|
@ -23,6 +23,7 @@ RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
|
|
||||||
# Note that machined cannot be placed in a mount namespace, since it
|
# Note that machined cannot be placed in a mount namespace, since it
|
||||||
# needs access to the host's mount namespace in order to implement the
|
# needs access to the host's mount namespace in order to implement the
|
||||||
|
|
|
@ -34,6 +34,7 @@ RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
RuntimeDirectory=systemd/netif
|
RuntimeDirectory=systemd/netif
|
||||||
RuntimeDirectoryPreserve=yes
|
RuntimeDirectoryPreserve=yes
|
||||||
|
|
||||||
|
|
|
@ -36,6 +36,7 @@ RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
RuntimeDirectory=systemd/resolve
|
RuntimeDirectory=systemd/resolve
|
||||||
RuntimeDirectoryPreserve=yes
|
RuntimeDirectoryPreserve=yes
|
||||||
|
|
||||||
|
|
|
@ -27,4 +27,5 @@ RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX
|
RestrictAddressFamilies=AF_UNIX
|
||||||
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
ReadWritePaths=/etc
|
ReadWritePaths=/etc
|
||||||
|
|
|
@ -38,6 +38,7 @@ RestrictNamespaces=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
||||||
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
SystemCallFilter=~@cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @swap
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
StateDirectory=systemd/timesync
|
StateDirectory=systemd/timesync
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
|
|
|
@ -28,3 +28,4 @@ MemoryDenyWriteExecute=yes
|
||||||
RestrictRealtime=yes
|
RestrictRealtime=yes
|
||||||
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
|
||||||
SystemCallArchitectures=native
|
SystemCallArchitectures=native
|
||||||
|
LockPersonality=yes
|
||||||
|
|
Loading…
Reference in New Issue