diff options
author | Craig Andrews <candrews@integralblue.com> | 2016-06-28 22:08:45 +0200 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2018-12-12 17:12:02 +0100 |
commit | 40c4d7f1820df1872a71ab07fd26da45a203e37f (patch) | |
tree | ee8c729e7b6bb87cd87239950f7bbef6a9c76723 /sapi | |
parent | 4d0a2f68a9063cd6befe3ce459f91cdad755996f (diff) | |
download | php-git-40c4d7f1820df1872a71ab07fd26da45a203e37f.tar.gz |
Implement FR #72510: systemd service should be hardened
Diffstat (limited to 'sapi')
-rw-r--r-- | sapi/fpm/php-fpm.service.in | 54 |
1 files changed, 54 insertions, 0 deletions
diff --git a/sapi/fpm/php-fpm.service.in b/sapi/fpm/php-fpm.service.in index 8a541c0865..857cb0e8f1 100644 --- a/sapi/fpm/php-fpm.service.in +++ b/sapi/fpm/php-fpm.service.in @@ -11,7 +11,61 @@ Type=@php_fpm_systemd@ PIDFile=@EXPANDED_LOCALSTATEDIR@/run/php-fpm.pid ExecStart=@EXPANDED_SBINDIR@/php-fpm --nodaemonize --fpm-config @EXPANDED_SYSCONFDIR@/php-fpm.conf ExecReload=/bin/kill -USR2 $MAINPID + +# Set up a new file system namespace and mounts private /tmp and /var/tmp directories +# so this service cannot access the global directories and other processes cannot +# access this service's directories. PrivateTmp=true +# The directories /home, /root and /run/user are made inaccessible and empty for processes +# invoked by this unit. +ProtectHome=true + +# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit. +ProtectSystem=full + +# Ensures that the service process and all its children can never gain new privileges +NoNewPrivileges=true + +# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices +# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, +# but no physical devices such as /dev/sda. +PrivateDevices=true + +# Required for dropping privileges and running as a different user +CapabilityBoundingSet=CAP_SETGID CAP_SETUID + +# Attempts to create memory mappings that are writable and executable at the same time, +# or to change existing memory mappings to become executable are prohibited. +MemoryDenyWriteExecute=true + +# Explicit module loading will be denied. This allows to turn off module load and unload +# operations on modular kernels. It is recommended to turn this on for most services that +# do not need special file systems or extra kernel modules to work. +ProtectKernelModules=true + +# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats, +# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes +# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the +# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence +# recommended to turn this on for most services. +ProtectKernelTunables=true + +# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be +# made read-only to all processes of the unit. Except for container managers no services should +# require write access to the control groups hierarchies; it is hence recommended to turn this on +# for most services +ProtectControlGroups=true + +# Any attempts to enable realtime scheduling in a process of the unit are refused. +RestrictRealtime=true + +# Restricts the set of socket address families accessible to the processes of this unit. +# Protects against vulnerabilities such as CVE-2016-8655 +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX + +# Takes away the ability to create or manage any kind of namespace +RestrictNamespaces=true + [Install] WantedBy=multi-user.target |