diff options
| author | Lennart Poettering <lennart@poettering.net> | 2018-04-16 21:41:40 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-05-24 17:01:57 +0200 |
| commit | 61d0578b07b97cbffebfd350bac481274e310d39 (patch) | |
| tree | daa8b07cf96b942ba7be0eab3ce86c1fa9cf029e /src/portable/profile | |
| parent | 19017acb9f3e5e7edad18f59acb872bfb8dda949 (diff) | |
| download | systemd-61d0578b07b97cbffebfd350bac481274e310d39.tar.gz | |
add new portable service framework
This adds a small service "systemd-portabled" and a matching client
"portablectl", which implement the "portable service" concept.
The daemon implements the actual operations, is PolicyKit-enabled and is
activated on demand with exit-on-idle.
Both the daemon and the client are an optional build artifact, enabled
by default rhough.
Diffstat (limited to 'src/portable/profile')
| -rw-r--r-- | src/portable/profile/default/service.conf | 30 | ||||
| -rw-r--r-- | src/portable/profile/nonetwork/service.conf | 30 | ||||
| -rw-r--r-- | src/portable/profile/strict/service.conf | 29 | ||||
| -rw-r--r-- | src/portable/profile/trusted/service.conf | 7 |
4 files changed, 96 insertions, 0 deletions
diff --git a/src/portable/profile/default/service.conf b/src/portable/profile/default/service.conf new file mode 100644 index 0000000000..993d351638 --- /dev/null +++ b/src/portable/profile/default/service.conf @@ -0,0 +1,30 @@ +# The "default" security profile for services, i.e. a number of useful restrictions + +[Service] +MountAPIVFS=yes +TemporaryFileSystem=/run +BindReadOnlyPaths=/run/systemd/notify +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout +BindReadOnlyPaths=/etc/machine-id +BindReadOnlyPaths=/etc/resolv.conf +BindReadOnlyPaths=/run/dbus/system_bus_socket +DynamicUser=yes +RemoveIPC=yes +CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ + CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_NET_ADMIN \ + CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_SETGID CAP_SETPCAP \ + CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE +PrivateTmp=yes +PrivateDevices=yes +PrivateUsers=yes +ProtectSystem=strict +ProtectHome=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictNamespaces=yes +SystemCallArchitectures=native diff --git a/src/portable/profile/nonetwork/service.conf b/src/portable/profile/nonetwork/service.conf new file mode 100644 index 0000000000..0d9c5a38d8 --- /dev/null +++ b/src/portable/profile/nonetwork/service.conf @@ -0,0 +1,30 @@ +# The "nonetwork" security profile for services, i.e. like "default" but without networking + +[Service] +MountAPIVFS=yes +TemporaryFileSystem=/run +BindReadOnlyPaths=/run/systemd/notify +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout +BindReadOnlyPaths=/etc/machine-id +BindReadOnlyPaths=/run/dbus/system_bus_socket +DynamicUser=yes +RemoveIPC=yes +CapabilityBoundingSet=CAP_CHOWN CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER \ + CAP_FSETID CAP_IPC_LOCK CAP_IPC_OWNER CAP_KILL CAP_MKNOD CAP_SETGID CAP_SETPCAP \ + CAP_SETUID CAP_SYS_ADMIN CAP_SYS_CHROOT CAP_SYS_NICE CAP_SYS_RESOURCE +PrivateTmp=yes +PrivateDevices=yes +PrivateUsers=yes +ProtectSystem=strict +ProtectHome=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX AF_NETLINK +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictNamespaces=yes +SystemCallArchitectures=native +PrivateNetwork=yes +IPAddressDeny=any diff --git a/src/portable/profile/strict/service.conf b/src/portable/profile/strict/service.conf new file mode 100644 index 0000000000..d12620fc99 --- /dev/null +++ b/src/portable/profile/strict/service.conf @@ -0,0 +1,29 @@ +# The "strict" security profile for services, all options turned on + +[Service] +MountAPIVFS=yes +TemporaryFileSystem=/run +BindReadOnlyPaths=/run/systemd/notify +BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout +BindReadOnlyPaths=/etc/machine-id +DynamicUser=yes +RemoveIPC=yes +CapabilityBoundingSet= +PrivateTmp=yes +PrivateDevices=yes +PrivateUsers=yes +ProtectSystem=strict +ProtectHome=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +LockPersonality=yes +NoNewPrivileges=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictNamespaces=yes +SystemCallArchitectures=native +PrivateNetwork=yes +IPAddressDeny=any +TasksMax=4 diff --git a/src/portable/profile/trusted/service.conf b/src/portable/profile/trusted/service.conf new file mode 100644 index 0000000000..9a6af70b93 --- /dev/null +++ b/src/portable/profile/trusted/service.conf @@ -0,0 +1,7 @@ +# The "trusted" profile for services, i.e. no restrictions are applied + +[Service] +MountAPIVFS=yes +BindPaths=/run +BindReadOnlyPaths=/etc/machine-id +BindReadOnlyPaths=/etc/resolv.conf |