-
Notifications
You must be signed in to change notification settings - Fork 18
systemd: Confine services #29
base: master
Are you sure you want to change the base?
Conversation
This seems to be a spurious service start
b8cff4f
to
32c9893
Compare
@@ -0,0 +1,2 @@ | |||
[Service] | |||
ProtectSystem=false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no newline at end of file
Normally these kind of changes are done upstream (i.e. in debian). Surely there's a some reason it's not already shipping like this? |
32c9893
to
9f5538c
Compare
Debian seems to be moving towards shipping AppArmor profiles with their packages to enforce security policy (which is incompatible with SELinux). Having some experience with such work, I suspect it is not already done for all services (whether by using AppArmor/SELinux or in a more limited fashion through systemd's features) because it is extremely difficult to write a security policy that is strict enough to be useful, yet does not break functionality, without knowing the context in which it is used. In our case, though, we know which services are run and how they are configured. |
We should revisit this, preferably once integration testing is underway. As a FYI, the Debian project is drafting unit files best practices that are moving in that direction: https://etherpad.fr/p/systemd-best-practices |
This configuration change enforces by default some restriction on services:
PrivateTmp
: they get their own/tmp
and/var/tmp
;PrivateDevices
: they only get to view API pseudo-devices (/dev/null
,full
,random
, ...);ProtectSystem
:/usr
,/boot
and/etc
are read-only;ProtectHome
: prevents access to/home
,/root
and/run/user
;NoNewPrivileges
: prevents uid changes and some other things;CapabilityBoundingSet
: prevents use ofCAP_SYS_ADMIN
,CAP_DAC_OVERRIDE
andCAP_SYS_PTRACE
.Some services needs specific overrides, that need to be put in
systemd/system/$UNIT.d/override.conf
.The provided override are probably both suboptimal and insufficient.
WARNING: Do not merge yet. In particular, this would break
sshd
without #28.This is meant, in a first time, for review only.