6212
Comment:
|
6256
|
Deletions are marked like this. | Additions are marked like this. |
Line 38: | Line 38: |
NoNewPrivileges=yes # Prevent acquiring new privileges | NoNewPrivileges=yes # Prevent acquiring new privileges. Warning: breaks execution of SUID binaries |
Service Sandboxing using systemd
This is a simple howto for package maintainers to implement sandboxing around services.
The systemd service files provide directives to restrict capabilities, filter system calls using seccomp, apply cgroups and namespaces.
See https://www.freedesktop.org/software/systemd/man/systemd.unit.html and https://www.freedesktop.org/software/systemd/man/systemd.service.html
Notice: Sandboxing helps protecting the system, other services and the user's homes from a compromised services. It often provides no hardening for the service itself.
Check the sandboxing status of all services:
1 sudo systemd-analyze security
Detailed report on the service you maintain:
1 sudo systemd-analyze security mydaemon.service --no-pager
Update your mydaemon.service file. This is a working example for a service "myserv" with typical settings
1 [Service]
2 PermissionsStartOnly=true
3
4 # Filter directory access
5 ReadOnlyDirectories=/
6 #RuntimeDirectory=myserv # /run/myserv the innermost subdirectories are removed when the unit is stopped
7 StateDirectory=myserv # /var/lib/<name>
8 CacheDirectory=myserv # /var/cache/<name>
9 LogsDirectory=/myserv # /var/log/<name>
10 ConfigurationDirectory=myserv # /etc/myserv
11 # These *Directory directories change behavior with DynamicUser - see docs
12
13 NoNewPrivileges=yes # Prevent acquiring new privileges. Warning: breaks execution of SUID binaries
14 PrivateTmp=yes # Use dedicated /tmp
15 PrivateUsers=yes # Hide system users
16 ProtectControlGroups= # Service may modify to the control group file system
17 ProtectHome=yes # Hide user homes
18 PrivateDevices=yes # Prevent access to /dev
19 ProtectKernelModules=yes # Prevent loading or reading kernel modules
20 ProtectKernelTunables=yes # Prevent altering kernel tunables
21 ProtectSystem=strict # strict or full, see docs
22
23 #SystemCallFilter= # Filter system calls, recommended
24 # ~@clock ~@cpu-emulation ~@debug ~@module ~@mount ~@obsolete ~@privileged ~@raw-io ~@reboot ~@resources ~@swap
25
26 #AmbientCapabilities= # Service process does not receive ambient capabilities
27 #CapabilityBoundingSet= # Restrict capabilities
28 # CAP_AUDIT_* # Service has audit subsystem access
29 # CAP_BLOCK_SUSPEND # Service may establish wake locks
30 # CAP_(CHOWN|FSETID|SETFCAP) # Service may change file ownership/access mode/capabilities unrestricted
31 # CAP_(DAC_*|FOWNER|IPC_OWNER) # Service may override UNIX file/IPC permission checks
32 # CAP_IPC_LOCK # Service may lock memory into RAM
33 # CAP_KILL # Service may send UNIX signals to arbitrary processes
34 # CAP_LEASE # Service may create file leases
35 # CAP_LINUX_IMMUTABLE # Service may mark files immutable
36 # CAP_MAC_* # Service may adjust SMACK MAC
37 # CAP_MKNOD # Service may create device nodes
38 # CAP_NET_ADMIN # Service has network configuration privileges
39 # CAP_NET_(BIND_SERVICE|BROADCAST|RAW)# Service has elevated networking privileges
40 # CAP_RAWIO # Service has raw I/O access
41 # CAP_SET(UID|GID|PCAP) # Service may change UID/GID identities/capabilities
42 # CAP_SYS_ADMIN # Service has administrator privileges
43 # CAP_SYS_BOOT # Service may issue reboot()
44 # CAP_SYS_CHROOT # Service may issue chroot()
45 # CAP_SYSLOG # Service has access to kernel logging
46 # CAP_SYS_MODULE # Service may load kernel modules
47 # CAP_SYS_(NICE|RESOURCE) # Service has privileges to change resource use parameters
48 # CAP_SYS_PACCT # Service may use acct()
49 # CAP_SYS_PTRACE # Service has ptrace() debugging abilities
50 # CAP_SYS_TIME # Service processes may change the system clock
51 # CAP_SYS_TTY_CONFIG # Service may issue vhangup()
52 # CAP_WAKE_ALARM # Service may program timers that wake up the system
53 #Delegate= # Service does not maintain its own delegated control group subtree
54 #DeviceAllow= # Service has no device ACL
55 #IPAddressDeny= # Service does not define an IP address whitelist
56 #KeyringMode= # Service doesn't share key material with other services
57 #LockPersonality= # Service may change ABI personality
58 #MemoryDenyWriteExecute= # Service may create writable executable memory mappings
59 #NotifyAccess= # Service child processes cannot alter service state
60 #PrivateMounts= # Service may install system mounts
61 #PrivateNetwork= # Service has access to the host's network
62 #ProtectHostname= # Service may change system host/domainname
63 #ProtectKernelLogs= # Service may read from or write to the kernel log ring buffer
64 #RestrictAddressFamilies=~AF_(INET|INET6) ~AF_NETLINK ~AF_PACKET ~AF_UNIX # Filter socket type
65 #RestrictNamespaces= # filter namespace creation:
66 # ~CLONE_NEWCGROUP ~CLONE_NEWIPC ~CLONE_NEWNET ~CLONE_NEWNS ~CLONE_NEWPID ~CLONE_NEWUSER ~CLONE_NEWUTS
67 #RestrictRealtime= # Service may acquire realtime scheduling
68 #RestrictSUIDSGID= # Service may create SUID/SGID files
69 #RootDirectory=/RootImage= # Service runs within the host's root directory
70 #SupplementaryGroups= # Service runs as root, option does not matter
71 #SystemCallArchitectures= # Service may execute system calls with all ABIs
72 #UMask= # Files created by service are world-readable by default
73 #User=/DynamicUser= # Service runs as root user