mnt-servo-*-reachable.service: harden systemd service
This commit is contained in:
@@ -193,7 +193,6 @@ let
|
|||||||
dir.acl.mode = "0750";
|
dir.acl.mode = "0750";
|
||||||
wantedBy = [ "default.target" ];
|
wantedBy = [ "default.target" ];
|
||||||
mount.depends = [ "network-online.target" "${systemdName}-reachable.service" ];
|
mount.depends = [ "network-online.target" "${systemdName}-reachable.service" ];
|
||||||
# mount.unitConfig.Conflicts = [ "${systemdName}-reachable.service" ]; #< ensures that we *retry* reachability on every activation attempt
|
|
||||||
#VVV patch so that when the mount fails, we start a timer to remount it.
|
#VVV patch so that when the mount fails, we start a timer to remount it.
|
||||||
# and for a disconnection after a good mount (onSuccess), restart the timer to be more aggressive
|
# and for a disconnection after a good mount (onSuccess), restart the timer to be more aggressive
|
||||||
mount.unitConfig.OnFailure = [ "${systemdName}.timer" ];
|
mount.unitConfig.OnFailure = [ "${systemdName}.timer" ];
|
||||||
@@ -246,7 +245,47 @@ let
|
|||||||
serviceConfig.RemainAfterExit = true;
|
serviceConfig.RemainAfterExit = true;
|
||||||
serviceConfig.Type = "oneshot";
|
serviceConfig.Type = "oneshot";
|
||||||
unitConfig.BindsTo = [ "${systemdName}.mount" ];
|
unitConfig.BindsTo = [ "${systemdName}.mount" ];
|
||||||
# unitConfig.PartOf = [ "${systemdName}.mount" ];
|
# hardening (systemd-analyze security mnt-servo-playground-reachable.service)
|
||||||
|
serviceConfig.AmbientCapabilities = "";
|
||||||
|
serviceConfig.CapabilityBoundingSet = "";
|
||||||
|
serviceConfig.DynamicUser = true;
|
||||||
|
serviceConfig.LockPersonality = true;
|
||||||
|
serviceConfig.MemoryDenyWriteExecute = true;
|
||||||
|
serviceConfig.NoNewPrivileges = true;
|
||||||
|
serviceConfig.PrivateDevices = true;
|
||||||
|
serviceConfig.PrivateMounts = true;
|
||||||
|
serviceConfig.PrivateTmp = true;
|
||||||
|
serviceConfig.PrivateUsers = true;
|
||||||
|
serviceConfig.ProcSubset = "all";
|
||||||
|
serviceConfig.ProtectClock = true;
|
||||||
|
serviceConfig.ProtectControlGroups = true;
|
||||||
|
serviceConfig.ProtectHome = true;
|
||||||
|
serviceConfig.ProtectKernelModules = true;
|
||||||
|
serviceConfig.ProtectProc = "invisible";
|
||||||
|
serviceConfig.ProtectSystem = "strict";
|
||||||
|
serviceConfig.RemoveIPC = true;
|
||||||
|
serviceConfig.RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
|
||||||
|
# serviceConfig.RestrictFileSystems = "@common-block @basic-api"; #< NOPE
|
||||||
|
serviceConfig.RestrictRealtime = true;
|
||||||
|
serviceConfig.RestrictSUIDSGID = true;
|
||||||
|
serviceConfig.SystemCallArchitectures = "native";
|
||||||
|
serviceConfig.SystemCallFilter = [
|
||||||
|
"@system-service"
|
||||||
|
"@mount"
|
||||||
|
"~@chown"
|
||||||
|
"~@cpu-emulation"
|
||||||
|
"~@keyring"
|
||||||
|
# "~@privileged" #< NOPE
|
||||||
|
"~@resources"
|
||||||
|
# could remove some more probably
|
||||||
|
];
|
||||||
|
serviceConfig.IPAddressDeny = "any";
|
||||||
|
serviceConfig.IPAddressAllow = "10.0.10.5";
|
||||||
|
serviceConfig.DevicePolicy = "closed";
|
||||||
|
# exceptions
|
||||||
|
serviceConfig.ProtectHostname = false;
|
||||||
|
serviceConfig.ProtectKernelLogs = false;
|
||||||
|
serviceConfig.ProtectKernelTunables = false;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.targets."${systemdName}-restart-timer" = {
|
systemd.targets."${systemdName}-restart-timer" = {
|
||||||
|
Reference in New Issue
Block a user