Add some extra sandboxing options to systemd_service

diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb
index aa575189defcf9c495d7a972a55821e8072f984c..ae09b7b7de83370b357ee6f47367fb5701dead7b 100644 (file)
--- a/cookbooks/systemd/resources/service.rb
+++ b/cookbooks/systemd/resources/service.rb
@@ -58,16 +58,37 @@ property :standard_error, String,
 property :success_exit_status, [Integer, String, Array]
 property :restart, String,
          :is => %w[on-success on-failure on-abnormal on-watchdog on-abort always]
-property :private_tmp, [true, false]
-property :private_devices, [true, false]
-property :private_network, [true, false]
-property :protect_system, [TrueClass, FalseClass, String]
-property :protect_home, [TrueClass, FalseClass, String]
+property :protect_proc, String,
+         :is => %w[noaccess invisible ptraceable default]
+property :proc_subset, String,
+         :is => %w[all pid]
+property :capability_bounding_set, [String, Array]
+property :no_new_privileges, [true, false]
+property :protect_system, [true, false, String]
+property :protect_home, [true, false, String]
 property :read_write_paths, [String, Array]
 property :read_only_paths, [String, Array]
 property :inaccessible_paths, [String, Array]
+property :private_tmp, [true, false]
+property :private_devices, [true, false]
+property :private_network, [true, false]
+property :private_ipc, [true, false]
+property :private_users, [true, false]
+property :protect_hostname, [true, false]
+property :protect_clock, [true, false]
+property :protect_kernel_tunables, [true, false]
+property :protect_kernel_modules, [true, false]
+property :protect_kernel_logs, [true, false]
+property :protect_control_groups, [true, false]
 property :restrict_address_families, [String, Array]
-property :no_new_privileges, [true, false]
+property :restrict_namespaces, [true, false, String, Array]
+property :lock_personality, [true, false]
+property :memory_deny_write_execute, [true, false]
+property :restrict_realtime, [true, false]
+property :restrict_suid_sgid, [true, false]
+property :remove_ipc, [true, false]
+property :system_call_filter, [String, Array]
+property :system_call_architectures, [String, Array]
 property :tasks_max, Integer
 property :timeout_start_sec, Integer
 property :timeout_stop_sec, Integer

diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb
index 4fba56c0f7cdc905df3b80980bbd438766eeec48..5f6e787e5295b1941c24d9589beba38e993debff 100644 (file)
--- a/cookbooks/systemd/templates/default/service.erb
+++ b/cookbooks/systemd/templates/default/service.erb
@@ -105,14 +105,17 @@ StandardOutput=<%= @standard_output %>
 <% if @standard_error -%>
 StandardError=<%= @standard_error %>
 <% end -%>
-<% if @private_tmp -%>
-PrivateTmp=<%= @private_tmp %>
+<% if @protect_proc -%>
+ProtectProc=<%= @protect_proc %>
 <% end -%>
-<% if @private_devices -%>
-PrivateDevices=<%= @private_devices %>
+<% if @proc_subset -%>
+ProcSubset=<%= @proc_subset %>
 <% end -%>
-<% if @private_network -%>
-PrivateNetwork=<%= @private_network %>
+<% if @no_new_privileges -%>
+NoNewPrivileges=<%= @no_new_privileges %>
+<% end -%>
+<% if @capability_bounding_set -%>
+CapabilityBoundingSet=<%= Array(@capability_bounding_set).join(" ") %>
 <% end -%>
 <% if @protect_system -%>
 ProtectSystem=<%= @protect_system %>
@@ -129,11 +132,65 @@ ReadOnlyPaths=<%= Array(@read_only_paths).join(" ") %>
 <% if @inaccessible_paths -%>
 InaccessiblePaths=<%= Array(@inaccessible_paths).join(" ") %>
 <% end -%>
+<% if @private_tmp -%>
+PrivateTmp=<%= @private_tmp %>
+<% end -%>
+<% if @private_devices -%>
+PrivateDevices=<%= @private_devices %>
+<% end -%>
+<% if @private_network -%>
+PrivateNetwork=<%= @private_network %>
+<% end -%>
+<% if @private_ipc -%>
+PrivateIPC=<%= @private_ipc %>
+<% end -%>
+<% if @private_users -%>
+PrivateUsers=<%= @private_users %>
+<% end -%>
+<% if @protect_hostname -%>
+ProtectHostname=<%= @protect_hostname %>
+<% end -%>
+<% if @protect_clock -%>
+ProtectClock=<%= @protect_clock %>
+<% end -%>
+<% if @protect_kernel_tunables -%>
+ProtectKernelTunables=<%= @protect_kernel_tunables %>
+<% end -%>
+<% if @protect_kernel_modules -%>
+ProtectKernelModules=<%= @protect_kernel_modules %>
+<% end -%>
+<% if @protect_kernel_logs -%>
+ProtectKernelLogs=<%= @protect_kernel_logs %>
+<% end -%>
+<% if @protect_control_groups -%>
+ProtectControlGroups=<%= @protect_control_groups %>
+<% end -%>
 <% if @restrict_address_families -%>
 RestrictAddressFamilies=<%= Array(@restrict_address_families).join(" ") %>
 <% end -%>
-<% if @no_new_privileges -%>
-NoNewPrivileges=<%= @no_new_privileges %>
+<% if @restrict_namespaces -%>
+RestrictNamespaces=<%= Array(@restrict_namespaces).join(" ") %>
+<% end -%>
+<% if @lock_personality -%>
+LockPersonality=<%= @lock_personality %>
+<% end -%>
+<% if @memory_deny_write_execute -%>
+MemoryDenyWriteExecute=<%= @memory_deny_write_execute %>
+<% end -%>
+<% if @restrict_realtime -%>
+RestrictRealtime=<%= @restrict_realtime %>
+<% end -%>
+<% if @restrict_suid_sgid -%>
+RestrictSUIDSGID=<%= @restrict_suid_sgid %>
+<% end -%>
+<% if @remove_ipc -%>
+RemoveIPC=<%= @remove_ipc %>
+<% end -%>
+<% if @system_call_filter -%>
+SystemCallFilter=<%= Array(@system_call_filter).join(" ") %>
+<% end -%>
+<% if @system_call_architectures -%>
+SystemCallArchitectures=<%= Array(@system_call_architectures).join(" ") %>
 <% end -%>
 <% if @tasks_max -%>
 TasksMax=<%= @tasks_max %>