feat(release/systemd): add sandbox for security

AkinoKaede · Aug 22, 2024 · 6804ff7 · 6804ff7
1 parent be45613
commit 6804ff7
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 16 deletions.
diff --git a/release/systemd/system/asport-client.service b/release/systemd/system/asport-client.service
@@ -4,15 +4,26 @@ Documentation=https://github.com/AkinoKaede/asport
 After=network-online.target
 
 [Service]
-User=asport
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-NoNewPrivileges=true
 ExecStart=/usr/local/bin/asport-client --config /usr/local/etc/asport/client.toml
+DynamicUser=true
 Restart=on-failure
 RestartPreventExitStatus=23
 StandardOutput=journal
 StandardError=journal
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET AF_INET6
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 
 [Install]
 WantedBy=multi-user.target
diff --git a/release/systemd/system/asport-client@.service b/release/systemd/system/asport-client@.service
@@ -4,15 +4,26 @@ Documentation=https://github.com/AkinoKaede/asport
 After=network-online.target
 
 [Service]
-User=asport
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-NoNewPrivileges=true
 ExecStart=/usr/local/bin/asport-client --config /usr/local/etc/asport/%i
+DynamicUser=true
 Restart=on-failure
 RestartPreventExitStatus=23
 StandardOutput=journal
 StandardError=journal
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET AF_INET6
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 
 [Install]
 WantedBy=multi-user.target
diff --git a/release/systemd/system/asport-server.service b/release/systemd/system/asport-server.service
@@ -4,15 +4,29 @@ Documentation=https://github.com/AkinoKaede/asport
 After=network-online.target
 
 [Service]
-User=asport
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-NoNewPrivileges=true
 ExecStart=/usr/local/bin/asport-server --config /usr/local/etc/asport/server.toml
+DynamicUser=true
 Restart=on-failure
 RestartPreventExitStatus=23
 StandardOutput=journal
 StandardError=journal
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+NoNewPrivileges=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET AF_INET6
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 
 [Install]
 WantedBy=multi-user.target
diff --git a/release/systemd/system/asport-server@.service b/release/systemd/system/asport-server@.service
@@ -4,15 +4,28 @@ Documentation=https://github.com/AkinoKaede/asport
 After=network-online.target
 
 [Service]
-User=asport
-CapabilityBoundingSet=CAP_NET_BIND_SERVICE
-AmbientCapabilities=CAP_NET_BIND_SERVICE
-NoNewPrivileges=true
 ExecStart=/usr/local/bin/asport-server --config /usr/local/etc/asport/%i
+DynamicUser=true
 Restart=on-failure
 RestartPreventExitStatus=23
 StandardOutput=journal
 StandardError=journal
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_INET AF_INET6
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
 
 [Install]
 WantedBy=multi-user.target