This sandboxes the service in three ways: * Remove all capabilities by emptying the capability bounding set and setting the no_new_privs bit. irqbalance drops capabilities during initialization anyways, and as far as I can tell nothing before that step requires capabilities, so we might as well drop them even earlier. * Mount the entire file system except for /proc/irq read-only. /proc/irq is the only directory that irqbalance should need to write to (assuming that no PID file is configured). * Disable most communication with the outside world by preventing access to address families other than unix(7) (e. g. ip(7), ipv6(7)) and hiding sockets in the /run directory from it. (Due to the file system restrictions, the daemon cannot allocate new socket files either, but the abstract namespace remains accessible for communication with irqbalance-ui.) This is not a complete sandbox, but intended to strike a balance between security and a readable, not overly long unit file. Signed-off-by: Lucas Werkmeister <mail@lucaswerkmeister.de>
19 lines
453 B
Desktop File
19 lines
453 B
Desktop File
[Unit]
|
|
Description=irqbalance daemon
|
|
Documentation=man:irqbalance(1)
|
|
Documentation=https://github.com/Irqbalance/irqbalance
|
|
ConditionVirtualization=!container
|
|
|
|
[Service]
|
|
EnvironmentFile=/path/to/irqbalance.env
|
|
ExecStart=/usr/sbin/irqbalance --foreground $IRQBALANCE_ARGS
|
|
CapabilityBoundingSet=
|
|
NoNewPrivileges=yes
|
|
ReadOnlyPaths=/
|
|
ReadWritePaths=/proc/irq
|
|
RestrictAddressFamilies=AF_UNIX
|
|
TemporaryFileSystem=/run:ro
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|