systemd: add sandboxing directives
This sandboxes the service in three ways: * Remove all capabilities by emptying the capability bounding set and setting the no_new_privs bit. irqbalance drops capabilities during initialization anyways, and as far as I can tell nothing before that step requires capabilities, so we might as well drop them even earlier. * Mount the entire file system except for /proc/irq read-only. /proc/irq is the only directory that irqbalance should need to write to (assuming that no PID file is configured). * Disable most communication with the outside world by preventing access to address families other than unix(7) (e. g. ip(7), ipv6(7)) and hiding sockets in the /run directory from it. (Due to the file system restrictions, the daemon cannot allocate new socket files either, but the abstract namespace remains accessible for communication with irqbalance-ui.) This is not a complete sandbox, but intended to strike a balance between security and a readable, not overly long unit file. Signed-off-by: Lucas Werkmeister <mail@lucaswerkmeister.de>
This commit is contained in:
parent
93e9429388
commit
5deac3d0ac
|
@ -7,6 +7,12 @@ ConditionVirtualization=!container
|
|||
[Service]
|
||||
EnvironmentFile=/path/to/irqbalance.env
|
||||
ExecStart=/usr/sbin/irqbalance --foreground $IRQBALANCE_ARGS
|
||||
CapabilityBoundingSet=
|
||||
NoNewPrivileges=yes
|
||||
ReadOnlyPaths=/
|
||||
ReadWritePaths=/proc/irq
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
TemporaryFileSystem=/run:ro
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
Loading…
Reference in a new issue