5deac3d0ac
This sandboxes the service in three ways: * Remove all capabilities by emptying the capability bounding set and setting the no_new_privs bit. irqbalance drops capabilities during initialization anyways, and as far as I can tell nothing before that step requires capabilities, so we might as well drop them even earlier. * Mount the entire file system except for /proc/irq read-only. /proc/irq is the only directory that irqbalance should need to write to (assuming that no PID file is configured). * Disable most communication with the outside world by preventing access to address families other than unix(7) (e. g. ip(7), ipv6(7)) and hiding sockets in the /run directory from it. (Due to the file system restrictions, the daemon cannot allocate new socket files either, but the abstract namespace remains accessible for communication with irqbalance-ui.) This is not a complete sandbox, but intended to strike a balance between security and a readable, not overly long unit file. Signed-off-by: Lucas Werkmeister <mail@lucaswerkmeister.de> |
||
---|---|---|
.. | ||
90-irqbalance.rules | ||
irqbalance.env | ||
irqbalance.service |