Service Sandboxing using systemd

This is a simple howto for package maintainers to implement sandboxing around services.

The systemd service files provide directives to restrict capabilities, filter system calls using seccomp, apply cgroups and namespaces.

See https://www.freedesktop.org/software/systemd/man/systemd.unit.html and https://www.freedesktop.org/software/systemd/man/systemd.service.html

Notice: Sandboxing helps protecting the system, other services and the user's homes from a compromised services. It often provides no hardening for the service itself.

Check the sandboxing status of all services:

   1 sudo systemd-analyze security

Detailed report on the service you maintain:

   1 sudo systemd-analyze security mydaemon.service --no-pager

Update your mydaemon.service file. This is a working example for a service "myserv" with typical settings

   1 [Service]
   2 PermissionsStartOnly=true
   3 
   4 # Filter directory access
   5 ReadOnlyDirectories=/
   6 #RuntimeDirectory=myserv # /run/myserv the innermost subdirectories are removed when the unit is stopped
   7 StateDirectory=myserv   # /var/lib/<name>
   8 CacheDirectory=myserv   # /var/cache/<name>
   9 LogsDirectory=/myserv   # /var/log/<name>
  10 ConfigurationDirectory=myserv # /etc/myserv
  11 # These *Directory directories change behavior with DynamicUser - see docs
  12 
  13 NoNewPrivileges=yes                   # Prevent acquiring new privileges. Warning: breaks execution of SUID binaries
  14 PrivateTmp=yes                        # Use dedicated /tmp
  15 PrivateUsers=yes                      # Hide system users
  16 ProtectControlGroups=                 # Service may modify to the control group file system
  17 ProtectHome=yes                       # Hide user homes
  18 PrivateDevices=yes                    # Prevent access to /dev
  19 ProtectKernelModules=yes              # Prevent loading or reading kernel modules
  20 ProtectKernelTunables=yes             # Prevent altering kernel tunables
  21 ProtectSystem=strict                  # strict or full, see docs
  22 
  23 #SystemCallFilter=                    # Filter system calls, recommended
  24 # ~@clock ~@cpu-emulation ~@debug ~@module ~@mount ~@obsolete ~@privileged ~@raw-io ~@reboot ~@resources ~@swap
  25 
  26 #AmbientCapabilities=                 # Service process does not receive ambient capabilities
  27 #CapabilityBoundingSet=               # Restrict capabilities
  28 # CAP_AUDIT_*                         # Service has audit subsystem access
  29 # CAP_BLOCK_SUSPEND                   # Service may establish wake locks
  30 # CAP_(CHOWN|FSETID|SETFCAP)          # Service may change file ownership/access mode/capabilities unrestricted
  31 # CAP_(DAC_*|FOWNER|IPC_OWNER)        # Service may override UNIX file/IPC permission checks
  32 # CAP_IPC_LOCK                        # Service may lock memory into RAM
  33 # CAP_KILL                            # Service may send UNIX signals to arbitrary processes
  34 # CAP_LEASE                           # Service may create file leases
  35 # CAP_LINUX_IMMUTABLE                 # Service may mark files immutable
  36 # CAP_MAC_*                           # Service may adjust SMACK MAC
  37 # CAP_MKNOD                           # Service may create device nodes
  38 # CAP_NET_ADMIN                       # Service has network configuration privileges
  39 # CAP_NET_(BIND_SERVICE|BROADCAST|RAW)# Service has elevated networking privileges
  40 # CAP_RAWIO                           # Service has raw I/O access
  41 # CAP_SET(UID|GID|PCAP)               # Service may change UID/GID identities/capabilities
  42 # CAP_SYS_ADMIN                       # Service has administrator privileges
  43 # CAP_SYS_BOOT                        # Service may issue reboot()
  44 # CAP_SYS_CHROOT                      # Service may issue chroot()
  45 # CAP_SYSLOG                          # Service has access to kernel logging
  46 # CAP_SYS_MODULE                      # Service may load kernel modules
  47 # CAP_SYS_(NICE|RESOURCE)             # Service has privileges to change resource use parameters
  48 # CAP_SYS_PACCT                       # Service may use acct()
  49 # CAP_SYS_PTRACE                      # Service has ptrace() debugging abilities
  50 # CAP_SYS_TIME                        # Service processes may change the system clock
  51 # CAP_SYS_TTY_CONFIG                  # Service may issue vhangup()
  52 # CAP_WAKE_ALARM                      # Service may program timers that wake up the system
  53 #Delegate=                            # Service does not maintain its own delegated control group subtree
  54 #DeviceAllow=                         # Service has no device ACL
  55 #IPAddressDeny=                       # Service does not define an IP address whitelist
  56 #KeyringMode=                         # Service doesn't share key material with other services
  57 #LockPersonality=                     # Service may change ABI personality
  58 #MemoryDenyWriteExecute=              # Service may create writable executable memory mappings
  59 #NotifyAccess=                        # Service child processes cannot alter service state
  60 #PrivateMounts=                       # Service may install system mounts
  61 #PrivateNetwork=                      # Service has access to the host's network
  62 #ProtectHostname=                     # Service may change system host/domainname
  63 #ProtectKernelLogs=                   # Service may read from or write to the kernel log ring buffer
  64 #RestrictAddressFamilies=~AF_(INET|INET6) ~AF_NETLINK ~AF_PACKET ~AF_UNIX  # Filter socket type
  65 #RestrictNamespaces=                  # filter namespace creation:
  66 # ~CLONE_NEWCGROUP ~CLONE_NEWIPC ~CLONE_NEWNET ~CLONE_NEWNS ~CLONE_NEWPID ~CLONE_NEWUSER ~CLONE_NEWUTS
  67 #RestrictRealtime=                    # Service may acquire realtime scheduling
  68 #RestrictSUIDSGID=                    # Service may create SUID/SGID files
  69 #RootDirectory=/RootImage=            # Service runs within the host's root directory
  70 #SupplementaryGroups=                 # Service runs as root, option does not matter
  71 #SystemCallArchitectures=             # Service may execute system calls with all ABIs
  72 #UMask=                               # Files created by service are world-readable by default
  73 #User=/DynamicUser=                   # Service runs as root user