870
Comment:
|
5977
|
Deletions are marked like this. | Additions are marked like this. |
Line 23: | Line 23: |
Update your mydaemon.service file | Update your mydaemon.service file. This is a working example with typical settings {{{#!highlight ini [Service] PermissionsStartOnly=true # Filter directory access ReadOnlyDirectories=/ ReadWriteDirectories=-/proc ReadWriteDirectories=-/var/lib/myservice ReadWriteDirectories=-/var/log/myservice ReadWriteDirectories=-/var/run NoNewPrivileges=yes # Prevent acquiring new privileges PrivateTmp=yes # Use dedicated /tmp PrivateUsers=yes # Hide system users ProtectControlGroups= # Service may modify to the control group file system ProtectHome=yes # Hide user homes PrivateDevices=yes # Prevent access to /dev ProtectKernelModules=yes # Prevent loading or reading kernel modules ProtectKernelTunables=yes # Prevent altering kernel tunables ProtectSystem=strict # strict or full, see docs #SystemCallFilter= # Filter system calls, recommended # ~@clock ~@cpu-emulation ~@debug ~@module ~@mount ~@obsolete ~@privileged ~@raw-io ~@reboot ~@resources ~@swap #AmbientCapabilities= # Service process does not receive ambient capabilities #CapabilityBoundingSet= # Restrict capabilities # CAP_AUDIT_* # Service has audit subsystem access # CAP_BLOCK_SUSPEND # Service may establish wake locks # CAP_(CHOWN|FSETID|SETFCAP) # Service may change file ownership/access mode/capabilities unrestricted # CAP_(DAC_*|FOWNER|IPC_OWNER) # Service may override UNIX file/IPC permission checks # CAP_IPC_LOCK # Service may lock memory into RAM # CAP_KILL # Service may send UNIX signals to arbitrary processes # CAP_LEASE # Service may create file leases # CAP_LINUX_IMMUTABLE # Service may mark files immutable # CAP_MAC_* # Service may adjust SMACK MAC # CAP_MKNOD # Service may create device nodes # CAP_NET_ADMIN # Service has network configuration privileges # CAP_NET_(BIND_SERVICE|BROADCAST|RAW)# Service has elevated networking privileges # CAP_RAWIO # Service has raw I/O access # CAP_SET(UID|GID|PCAP) # Service may change UID/GID identities/capabilities # CAP_SYS_ADMIN # Service has administrator privileges # CAP_SYS_BOOT # Service may issue reboot() # CAP_SYS_CHROOT # Service may issue chroot() # CAP_SYSLOG # Service has access to kernel logging # CAP_SYS_MODULE # Service may load kernel modules # CAP_SYS_(NICE|RESOURCE) # Service has privileges to change resource use parameters # CAP_SYS_PACCT # Service may use acct() # CAP_SYS_PTRACE # Service has ptrace() debugging abilities # CAP_SYS_TIME # Service processes may change the system clock # CAP_SYS_TTY_CONFIG # Service may issue vhangup() # CAP_WAKE_ALARM # Service may program timers that wake up the system #Delegate= # Service does not maintain its own delegated control group subtree #DeviceAllow= # Service has no device ACL #IPAddressDeny= # Service does not define an IP address whitelist #KeyringMode= # Service doesn't share key material with other services #LockPersonality= # Service may change ABI personality #MemoryDenyWriteExecute= # Service may create writable executable memory mappings #NotifyAccess= # Service child processes cannot alter service state #PrivateMounts= # Service may install system mounts #PrivateNetwork= # Service has access to the host's network #ProtectHostname= # Service may change system host/domainname #ProtectKernelLogs= # Service may read from or write to the kernel log ring buffer #RestrictAddressFamilies=~AF_(INET|INET6) ~AF_NETLINK ~AF_PACKET ~AF_UNIX # Filter socket type #RestrictNamespaces= # filter namespace creation: # ~CLONE_NEWCGROUP ~CLONE_NEWIPC ~CLONE_NEWNET ~CLONE_NEWNS ~CLONE_NEWPID ~CLONE_NEWUSER ~CLONE_NEWUTS #RestrictRealtime= # Service may acquire realtime scheduling #RestrictSUIDSGID= # Service may create SUID/SGID files #RootDirectory=/RootImage= # Service runs within the host's root directory #SupplementaryGroups= # Service runs as root, option does not matter #SystemCallArchitectures= # Service may execute system calls with all ABIs #UMask= # Files created by service are world-readable by default #User=/DynamicUser= # Service runs as root user }}} |
Service Sandboxing using SystemD
This is a simple howto for package maintainers to implement sandboxing around services.
The SystemdD service files provide directives to restrict capabilities, filter system calls using seccomp, apply cgroups and namespaces.
See https://www.freedesktop.org/software/systemd/man/systemd.unit.html and https://www.freedesktop.org/software/systemd/man/systemd.service.html
Notice: Sandboxing helps protecting the system, other services and the user's homes from a compromised services. It often provides no hardening for the service itself.
Check the sandboxing status of all services:
1 sudo systemd-analyze security
Detailed report on the service you maintain:
1 sudo systemd-analyze security mydaemon.service --no-pager
Update your mydaemon.service file. This is a working example with typical settings
1 [Service]
2 PermissionsStartOnly=true
3
4 # Filter directory access
5 ReadOnlyDirectories=/
6 ReadWriteDirectories=-/proc
7 ReadWriteDirectories=-/var/lib/myservice
8 ReadWriteDirectories=-/var/log/myservice
9 ReadWriteDirectories=-/var/run
10
11 NoNewPrivileges=yes # Prevent acquiring new privileges
12 PrivateTmp=yes # Use dedicated /tmp
13 PrivateUsers=yes # Hide system users
14 ProtectControlGroups= # Service may modify to the control group file system
15 ProtectHome=yes # Hide user homes
16 PrivateDevices=yes # Prevent access to /dev
17 ProtectKernelModules=yes # Prevent loading or reading kernel modules
18 ProtectKernelTunables=yes # Prevent altering kernel tunables
19 ProtectSystem=strict # strict or full, see docs
20
21 #SystemCallFilter= # Filter system calls, recommended
22 # ~@clock ~@cpu-emulation ~@debug ~@module ~@mount ~@obsolete ~@privileged ~@raw-io ~@reboot ~@resources ~@swap
23
24 #AmbientCapabilities= # Service process does not receive ambient capabilities
25 #CapabilityBoundingSet= # Restrict capabilities
26 # CAP_AUDIT_* # Service has audit subsystem access
27 # CAP_BLOCK_SUSPEND # Service may establish wake locks
28 # CAP_(CHOWN|FSETID|SETFCAP) # Service may change file ownership/access mode/capabilities unrestricted
29 # CAP_(DAC_*|FOWNER|IPC_OWNER) # Service may override UNIX file/IPC permission checks
30 # CAP_IPC_LOCK # Service may lock memory into RAM
31 # CAP_KILL # Service may send UNIX signals to arbitrary processes
32 # CAP_LEASE # Service may create file leases
33 # CAP_LINUX_IMMUTABLE # Service may mark files immutable
34 # CAP_MAC_* # Service may adjust SMACK MAC
35 # CAP_MKNOD # Service may create device nodes
36 # CAP_NET_ADMIN # Service has network configuration privileges
37 # CAP_NET_(BIND_SERVICE|BROADCAST|RAW)# Service has elevated networking privileges
38 # CAP_RAWIO # Service has raw I/O access
39 # CAP_SET(UID|GID|PCAP) # Service may change UID/GID identities/capabilities
40 # CAP_SYS_ADMIN # Service has administrator privileges
41 # CAP_SYS_BOOT # Service may issue reboot()
42 # CAP_SYS_CHROOT # Service may issue chroot()
43 # CAP_SYSLOG # Service has access to kernel logging
44 # CAP_SYS_MODULE # Service may load kernel modules
45 # CAP_SYS_(NICE|RESOURCE) # Service has privileges to change resource use parameters
46 # CAP_SYS_PACCT # Service may use acct()
47 # CAP_SYS_PTRACE # Service has ptrace() debugging abilities
48 # CAP_SYS_TIME # Service processes may change the system clock
49 # CAP_SYS_TTY_CONFIG # Service may issue vhangup()
50 # CAP_WAKE_ALARM # Service may program timers that wake up the system
51 #Delegate= # Service does not maintain its own delegated control group subtree
52 #DeviceAllow= # Service has no device ACL
53 #IPAddressDeny= # Service does not define an IP address whitelist
54 #KeyringMode= # Service doesn't share key material with other services
55 #LockPersonality= # Service may change ABI personality
56 #MemoryDenyWriteExecute= # Service may create writable executable memory mappings
57 #NotifyAccess= # Service child processes cannot alter service state
58 #PrivateMounts= # Service may install system mounts
59 #PrivateNetwork= # Service has access to the host's network
60 #ProtectHostname= # Service may change system host/domainname
61 #ProtectKernelLogs= # Service may read from or write to the kernel log ring buffer
62 #RestrictAddressFamilies=~AF_(INET|INET6) ~AF_NETLINK ~AF_PACKET ~AF_UNIX # Filter socket type
63 #RestrictNamespaces= # filter namespace creation:
64 # ~CLONE_NEWCGROUP ~CLONE_NEWIPC ~CLONE_NEWNET ~CLONE_NEWNS ~CLONE_NEWPID ~CLONE_NEWUSER ~CLONE_NEWUTS
65 #RestrictRealtime= # Service may acquire realtime scheduling
66 #RestrictSUIDSGID= # Service may create SUID/SGID files
67 #RootDirectory=/RootImage= # Service runs within the host's root directory
68 #SupplementaryGroups= # Service runs as root, option does not matter
69 #SystemCallArchitectures= # Service may execute system calls with all ABIs
70 #UMask= # Files created by service are world-readable by default
71 #User=/DynamicUser= # Service runs as root user