hardened and made more reliable the monitor.service file #359
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
since the service depends on bluetooth daemon, start after it ( After= ) since the daemon fails to work properly without bluetooth, don't start it if blueetooth fails ( Requires= ) shut down the service when bluetooth fails ( BindsTo= ) since the daemon isn't necessary for networking, don't install it network target set restart mode on-failure so that if the user accidentally sets a one-shot setting manually in the service, it doesn't keep re-launching it don't fork the process in the background so that systemd can track the pids of all the programs spawned and kill them if they hang to ensure a proper shutdown split re-writable file with environment to a separate optional file $service_config_path which equals to "/etc/default/monitor", the daemon file shouldn't re-write it's own service file for both security and bug prevention since the daemon runs with ultimate priviledges and it's networked, removing the unnecessary ones can prevent system disruption in the case of a bug or a flyby scripted attack: LockPersonality ensures kenel personality(2) is enforced NoNewPrivileges fixes process privileges as the one set in the srvice PrivateMounts makes any mount point created by the service private to the service itself ProtectClock prevents the system clock to be altered by the service ProtectControlGroups prevents the system to access the kernel control groups ( and override the security settings ) ProteectKernelLogs prevents the access to the kernel logs ProtectKernelModules prevents load/unload kernel modules; bluetooth modules will be loadeed as necessary anyway from the bluetooth.service ProtectKernelTunables denies accceess to the kernel runtime config ProtectHostname prevents hostname changes from the service ProtectHome prevents writing files to the home dir of the user ProtectProc=invisible makes the service be able to see only its own process tree and no further ProtectSystem=strict makes the whole filesystem read-only except for the paths specified in ReadWritePaths RestrictNamespaces denies altering the process namespace, useful to prevent bypassing protections RestrictAddressFamilies limits the types of sockets that can be read/written by the procss RestrictSUIDSGID prevents setting SUID and GID bits on files RestrictRealtime prevents acquiring realtime scheduling priority SystemCallArchitectures ensures that only native binaries are used ( eg only 64 bit in a mixed 32-64 bit environment; 32 bit ISA is often full of security pitholes ) SystemCallFilter=~@mount denies access to the mount functionality to prevent bypassing most of the security settings ReadWritePaths=/sys/class/bluetooth allows raw access to the bluetoot devices ReadWritePaths=$base_directory allows the service to overwrite itself / its config ( dangerous, but fixing it is not in the scope of this patch ) ReadWritePaths=$service_config_path allows the sevice to overwrite the execution args of the daemon daemon-reload is not necessary to reload the environment file, so it's only executed for service installation all the features used are documented in systemd.exec(5) systemd.unit(5) systemd.service(5)
BrainDamage
force-pushed
the
systemd-hardening
branch
from
826b686
to
636583b
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
since the service depends on bluetooth daemon, start after it ( After= )
since the daemon fails to work properly without bluetooth, don't start it if blueetooth fails ( Requires= )
shut down the service when bluetooth fails ( BindsTo= )
since the daemon isn't necessary for networking, don't install it network target
set restart mode on-failure so that if the user accidentally sets a one-shot setting manually in the service, it doesn't keep re-launching it
don't fork the process in the background so that systemd can track the pids of all the programs spawned and kill them if they hang to ensure a proper shutdown
split re-writable file with environment to a separate optional file $service_config_path which equals to "/etc/default/monitor", the daemon file shouldn't re-write it's own service file for both security and bug prevention
since the daemon runs with ultimate priviledges and it's networked, removing the unnecessary ones can prevent system disruption in the case of a bug or a flyby scripted attack:
LockPersonality ensures kenel personality(2) is enforced
NoNewPrivileges fixes process privileges as the one set in the srvice
PrivateMounts makes any mount point created by the service private to the service itself
ProtectClock prevents the system clock to be altered by the service
ProtectControlGroups prevents the system to access the kernel control groups ( and override the security settings )
ProteectKernelLogs prevents the access to the kernel logs
ProtectKernelModules prevents load/unload kernel modules; bluetooth modules will be loadeed as necessary anyway from the bluetooth.service
ProtectKernelTunables denies accceess to the kernel runtime config
ProtectHostname prevents hostname changes from the service
ProtectHome prevents writing files to the home dir of the user
ProtectProc=invisible makes the service be able to see only its own process tree and no further
ProtectSystem=strict makes the whole filesystem read-only except for the paths specified in ReadWritePaths
RestrictNamespaces denies altering the process namespace, useful to prevent bypassing protections
RestrictAddressFamilies limits the types of sockets that can be read/written by the procss
RestrictSUIDSGID prevents setting SUID and GID bits on files
RestrictRealtime prevents acquiring realtime scheduling priority
SystemCallArchitectures ensures that only native binaries are used ( eg only 64 bit in a mixed 32-64 bit environment; 32 bit ISA is often full of security pitholes )
SystemCallFilter=~@mount denies access to the mount functionality to prevent bypassing most of the security settings
ReadWritePaths=/sys/class/bluetooth allows raw access to the bluetoot devices
ReadWritePaths=$base_directory allows the service to overwrite itself / its config ( dangerous, but fixing it is not in the scope of this patch )
ReadWritePaths=$service_config_path allows the sevice to overwrite the execution args of the daemon
daemon-reload is not necessary to reload the environment file, so it's only executed for service installation
all the features used are documented in systemd.exec(5) systemd.unit(5) systemd.service(5)