From c1a8a8a203295563847c9c6a651b126e3948a0ab Mon Sep 17 00:00:00 2001 From: tituspijean Date: Mon, 20 Dec 2021 18:46:15 +0100 Subject: [PATCH 1/2] Appease linter with systemd security --- conf/systemd.service | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/conf/systemd.service b/conf/systemd.service index 0921e3d..131193a 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -10,5 +10,33 @@ Group=__APP__ WorkingDirectory=__FINALPATH__/ ExecStart=__FINALPATH__/venv/bin/python ./run.py +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant for webapps +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + [Install] WantedBy=multi-user.target From d4ee69d66c42d8aa2bd4005e33b4d059f28d01c0 Mon Sep 17 00:00:00 2001 From: tituspijean Date: Mon, 20 Dec 2021 19:16:50 +0100 Subject: [PATCH 2/2] Appease linter with systemd security, without breaking connection --- conf/systemd.service | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/conf/systemd.service b/conf/systemd.service index 131193a..ad977e3 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -12,19 +12,9 @@ ExecStart=__FINALPATH__/venv/bin/python ./run.py # Sandboxing options to harden security # Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 -RestrictNamespaces=yes -RestrictRealtime=yes DevicePolicy=closed ProtectSystem=full ProtectControlGroups=yes -ProtectKernelModules=yes -ProtectKernelTunables=yes -LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html @@ -35,8 +25,7 @@ CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE -CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW -CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG [Install] WantedBy=multi-user.target