Differences between revisions 2 and 3
Revision 2 as of 2020-01-19 13:58:39
Size: 870
Comment:
Revision 3 as of 2020-01-19 14:08:56
Size: 5977
Comment:
Deletions are marked like this. Additions are marked like this.
Line 23: Line 23:
Update your mydaemon.service file Update your mydaemon.service file. This is a working example with typical settings

{{{#!highlight ini
[Service]
PermissionsStartOnly=true

# Filter directory access
ReadOnlyDirectories=/
ReadWriteDirectories=-/proc
ReadWriteDirectories=-/var/lib/myservice
ReadWriteDirectories=-/var/log/myservice
ReadWriteDirectories=-/var/run

NoNewPrivileges=yes # Prevent acquiring new privileges
PrivateTmp=yes # Use dedicated /tmp
PrivateUsers=yes # Hide system users
ProtectControlGroups= # Service may modify to the control group file system
ProtectHome=yes # Hide user homes
PrivateDevices=yes # Prevent access to /dev
ProtectKernelModules=yes # Prevent loading or reading kernel modules
ProtectKernelTunables=yes # Prevent altering kernel tunables
ProtectSystem=strict # strict or full, see docs

#SystemCallFilter= # Filter system calls, recommended
# ~@clock ~@cpu-emulation ~@debug ~@module ~@mount ~@obsolete ~@privileged ~@raw-io ~@reboot ~@resources ~@swap

#AmbientCapabilities= # Service process does not receive ambient capabilities
#CapabilityBoundingSet= # Restrict capabilities
# CAP_AUDIT_* # Service has audit subsystem access
# CAP_BLOCK_SUSPEND # Service may establish wake locks
# CAP_(CHOWN|FSETID|SETFCAP) # Service may change file ownership/access mode/capabilities unrestricted
# CAP_(DAC_*|FOWNER|IPC_OWNER) # Service may override UNIX file/IPC permission checks
# CAP_IPC_LOCK # Service may lock memory into RAM
# CAP_KILL # Service may send UNIX signals to arbitrary processes
# CAP_LEASE # Service may create file leases
# CAP_LINUX_IMMUTABLE # Service may mark files immutable
# CAP_MAC_* # Service may adjust SMACK MAC
# CAP_MKNOD # Service may create device nodes
# CAP_NET_ADMIN # Service has network configuration privileges
# CAP_NET_(BIND_SERVICE|BROADCAST|RAW)# Service has elevated networking privileges
# CAP_RAWIO # Service has raw I/O access
# CAP_SET(UID|GID|PCAP) # Service may change UID/GID identities/capabilities
# CAP_SYS_ADMIN # Service has administrator privileges
# CAP_SYS_BOOT # Service may issue reboot()
# CAP_SYS_CHROOT # Service may issue chroot()
# CAP_SYSLOG # Service has access to kernel logging
# CAP_SYS_MODULE # Service may load kernel modules
# CAP_SYS_(NICE|RESOURCE) # Service has privileges to change resource use parameters
# CAP_SYS_PACCT # Service may use acct()
# CAP_SYS_PTRACE # Service has ptrace() debugging abilities
# CAP_SYS_TIME # Service processes may change the system clock
# CAP_SYS_TTY_CONFIG # Service may issue vhangup()
# CAP_WAKE_ALARM # Service may program timers that wake up the system
#Delegate= # Service does not maintain its own delegated control group subtree
#DeviceAllow= # Service has no device ACL
#IPAddressDeny= # Service does not define an IP address whitelist
#KeyringMode= # Service doesn't share key material with other services
#LockPersonality= # Service may change ABI personality
#MemoryDenyWriteExecute= # Service may create writable executable memory mappings
#NotifyAccess= # Service child processes cannot alter service state
#PrivateMounts= # Service may install system mounts
#PrivateNetwork= # Service has access to the host's network
#ProtectHostname= # Service may change system host/domainname
#ProtectKernelLogs= # Service may read from or write to the kernel log ring buffer
#RestrictAddressFamilies=~AF_(INET|INET6) ~AF_NETLINK ~AF_PACKET ~AF_UNIX # Filter socket type
#RestrictNamespaces= # filter namespace creation:
# ~CLONE_NEWCGROUP ~CLONE_NEWIPC ~CLONE_NEWNET ~CLONE_NEWNS ~CLONE_NEWPID ~CLONE_NEWUSER ~CLONE_NEWUTS
#RestrictRealtime= # Service may acquire realtime scheduling
#RestrictSUIDSGID= # Service may create SUID/SGID files
#RootDirectory=/RootImage= # Service runs within the host's root directory
#SupplementaryGroups= # Service runs as root, option does not matter
#SystemCallArchitectures= # Service may execute system calls with all ABIs
#UMask= # Files created by service are world-readable by default
#User=/DynamicUser= # Service runs as root user
}}}

Service Sandboxing using SystemD

This is a simple howto for package maintainers to implement sandboxing around services.

The SystemdD service files provide directives to restrict capabilities, filter system calls using seccomp, apply cgroups and namespaces.

See https://www.freedesktop.org/software/systemd/man/systemd.unit.html and https://www.freedesktop.org/software/systemd/man/systemd.service.html

Notice: Sandboxing helps protecting the system, other services and the user's homes from a compromised services. It often provides no hardening for the service itself.

Check the sandboxing status of all services:

   1 sudo systemd-analyze security

Detailed report on the service you maintain:

   1 sudo systemd-analyze security mydaemon.service --no-pager

Update your mydaemon.service file. This is a working example with typical settings

   1 [Service]
   2 PermissionsStartOnly=true
   3 
   4 # Filter directory access
   5 ReadOnlyDirectories=/
   6 ReadWriteDirectories=-/proc
   7 ReadWriteDirectories=-/var/lib/myservice
   8 ReadWriteDirectories=-/var/log/myservice
   9 ReadWriteDirectories=-/var/run
  10 
  11 NoNewPrivileges=yes                   # Prevent acquiring new privileges
  12 PrivateTmp=yes                        # Use dedicated /tmp
  13 PrivateUsers=yes                      # Hide system users
  14 ProtectControlGroups=                 # Service may modify to the control group file system
  15 ProtectHome=yes                       # Hide user homes
  16 PrivateDevices=yes                    # Prevent access to /dev
  17 ProtectKernelModules=yes              # Prevent loading or reading kernel modules
  18 ProtectKernelTunables=yes             # Prevent altering kernel tunables
  19 ProtectSystem=strict                  # strict or full, see docs
  20 
  21 #SystemCallFilter=                    # Filter system calls, recommended
  22 # ~@clock ~@cpu-emulation ~@debug ~@module ~@mount ~@obsolete ~@privileged ~@raw-io ~@reboot ~@resources ~@swap
  23 
  24 #AmbientCapabilities=                 # Service process does not receive ambient capabilities
  25 #CapabilityBoundingSet=               # Restrict capabilities
  26 # CAP_AUDIT_*                         # Service has audit subsystem access
  27 # CAP_BLOCK_SUSPEND                   # Service may establish wake locks
  28 # CAP_(CHOWN|FSETID|SETFCAP)          # Service may change file ownership/access mode/capabilities unrestricted
  29 # CAP_(DAC_*|FOWNER|IPC_OWNER)        # Service may override UNIX file/IPC permission checks
  30 # CAP_IPC_LOCK                        # Service may lock memory into RAM
  31 # CAP_KILL                            # Service may send UNIX signals to arbitrary processes
  32 # CAP_LEASE                           # Service may create file leases
  33 # CAP_LINUX_IMMUTABLE                 # Service may mark files immutable
  34 # CAP_MAC_*                           # Service may adjust SMACK MAC
  35 # CAP_MKNOD                           # Service may create device nodes
  36 # CAP_NET_ADMIN                       # Service has network configuration privileges
  37 # CAP_NET_(BIND_SERVICE|BROADCAST|RAW)# Service has elevated networking privileges
  38 # CAP_RAWIO                           # Service has raw I/O access
  39 # CAP_SET(UID|GID|PCAP)               # Service may change UID/GID identities/capabilities
  40 # CAP_SYS_ADMIN                       # Service has administrator privileges
  41 # CAP_SYS_BOOT                        # Service may issue reboot()
  42 # CAP_SYS_CHROOT                      # Service may issue chroot()
  43 # CAP_SYSLOG                          # Service has access to kernel logging
  44 # CAP_SYS_MODULE                      # Service may load kernel modules
  45 # CAP_SYS_(NICE|RESOURCE)             # Service has privileges to change resource use parameters
  46 # CAP_SYS_PACCT                       # Service may use acct()
  47 # CAP_SYS_PTRACE                      # Service has ptrace() debugging abilities
  48 # CAP_SYS_TIME                        # Service processes may change the system clock
  49 # CAP_SYS_TTY_CONFIG                  # Service may issue vhangup()
  50 # CAP_WAKE_ALARM                      # Service may program timers that wake up the system
  51 #Delegate=                            # Service does not maintain its own delegated control group subtree
  52 #DeviceAllow=                         # Service has no device ACL
  53 #IPAddressDeny=                       # Service does not define an IP address whitelist
  54 #KeyringMode=                         # Service doesn't share key material with other services
  55 #LockPersonality=                     # Service may change ABI personality
  56 #MemoryDenyWriteExecute=              # Service may create writable executable memory mappings
  57 #NotifyAccess=                        # Service child processes cannot alter service state
  58 #PrivateMounts=                       # Service may install system mounts
  59 #PrivateNetwork=                      # Service has access to the host's network
  60 #ProtectHostname=                     # Service may change system host/domainname
  61 #ProtectKernelLogs=                   # Service may read from or write to the kernel log ring buffer
  62 #RestrictAddressFamilies=~AF_(INET|INET6) ~AF_NETLINK ~AF_PACKET ~AF_UNIX  # Filter socket type
  63 #RestrictNamespaces=                  # filter namespace creation:
  64 # ~CLONE_NEWCGROUP ~CLONE_NEWIPC ~CLONE_NEWNET ~CLONE_NEWNS ~CLONE_NEWPID ~CLONE_NEWUSER ~CLONE_NEWUTS
  65 #RestrictRealtime=                    # Service may acquire realtime scheduling
  66 #RestrictSUIDSGID=                    # Service may create SUID/SGID files
  67 #RootDirectory=/RootImage=            # Service runs within the host's root directory
  68 #SupplementaryGroups=                 # Service runs as root, option does not matter
  69 #SystemCallArchitectures=             # Service may execute system calls with all ABIs
  70 #UMask=                               # Files created by service are world-readable by default
  71 #User=/DynamicUser=                   # Service runs as root user