Fix sandboxing of smokeping exporter

author Tom Hughes <tom@compton.nu>

Wed, 8 Mar 2023 19:25:41 +0000 (19:25 +0000)

committer Tom Hughes <tom@compton.nu>

Wed, 8 Mar 2023 19:25:41 +0000 (19:25 +0000)
author Tom Hughes <tom@compton.nu>
Wed, 8 Mar 2023 19:25:41 +0000 (19:25 +0000)
committer Tom Hughes <tom@compton.nu>
Wed, 8 Mar 2023 19:25:41 +0000 (19:25 +0000)
diff --git a/cookbooks/prometheus/recipes/smokeping.rb b/cookbooks/prometheus/recipes/smokeping.rb

index 975f8a5c25be1bcb6c2d64029f7de0ac3f5002ef..5f11d2c90bf9c73d7315458802410ad2bd7fd5c3 100644 (file)
--- a/cookbooks/prometheus/recipes/smokeping.rb
+++ b/cookbooks/prometheus/recipes/smokeping.rb
@@ -40,4 +40,7 @@ end
  prometheus_exporter "smokeping" do
    port 9374
    options "--config.file=/etc/prometheus/exporters/smokeping.yml"
+  capability_bounding_set "CAP_NET_RAW"
+  ambient_capabilities "CAP_NET_RAW"
+  private_users false
  end
diff --git a/cookbooks/prometheus/resources/exporter.rb b/cookbooks/prometheus/resources/exporter.rb

index 782f84aa3669dbfe7ff11c176a8a6535a8cb2b19..0e1d9d6e46a1be1ac8ffd8be33aa0cc836b58dcc 100644 (file)
--- a/cookbooks/prometheus/resources/exporter.rb
+++ b/cookbooks/prometheus/resources/exporter.rb
@@ -33,7 +33,10 @@ property :options, :kind_of => [String, Array]
  property :environment, :kind_of => Hash, :default => {}
  property :protect_proc, String
  property :proc_subset, String
+property :capability_bounding_set, [String, Array]
+property :ambient_capabilities, [String, Array]
  property :private_devices, [true, false]
+property :private_users, [true, false]
  property :protect_clock, [true, false]
  property :restrict_address_families, [String, Array]
  property :remove_ipc, [true, false]
@@ -58,7 +61,10 @@ action :create do
      sandbox :enable_network => true
      protect_proc new_resource.protect_proc if new_resource.property_is_set?(:protect_proc)
      proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset)
+    capability_bounding_set new_resource.capability_bounding_set if new_resource.property_is_set?(:capability_bounding_set)
+    ambient_capabilities new_resource.ambient_capabilities if new_resource.property_is_set?(:ambient_capabilities)
      private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices)
+    private_users new_resource.private_users if new_resource.property_is_set?(:private_users)
      protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock)
      restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families)
      remove_ipc new_resource.remove_ipc if new_resource.property_is_set?(:remove_ipc)
diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb

index 35655dc7a500a76d1a9a2b33845b45e369de1b0d..e82b33fb0a109f08fef75f477b3eb97bd747a9f9 100644 (file)
--- a/cookbooks/systemd/resources/service.rb
+++ b/cookbooks/systemd/resources/service.rb
@@ -68,6 +68,7 @@ property :protect_proc, String,
  property :proc_subset, String,
           :is => %w[all pid]
  property :capability_bounding_set, [String, Array]
+property :ambient_capabilities, [String, Array]
  property :no_new_privileges, [true, false]
  property :protect_system, [true, false, String]
  property :protect_home, [true, false, String]
@@ -118,6 +119,7 @@ action :create do
      service_variables[:protect_proc] = "invisible" unless property_is_set?(:protect_proc)
      service_variables[:proc_subset] = "pid" unless property_is_set?(:proc_subset)
      service_variables[:capability_bounding_set] = [] unless property_is_set?(:capability_bounding_set)
+    service_variables[:ambient_capabilities] = [] unless property_is_set?(:ambient_capabilities)
      service_variables[:no_new_privileges] = true unless property_is_set?(:no_new_privileges)
      service_variables[:protect_system] = "strict" unless property_is_set?(:protect_system)
      service_variables[:protect_home] = true unless property_is_set?(:protect_home)
diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb

index a4ff29fa96988f92a167a8a6af9b787bafc5fde9..1172d0b96c3f4b5d1a82b071f5ef25f87ddb0697 100644 (file)
--- a/cookbooks/systemd/templates/default/service.erb
+++ b/cookbooks/systemd/templates/default/service.erb
@@ -145,6 +145,9 @@ NoNewPrivileges=<%= @no_new_privileges %>
  <% if @capability_bounding_set -%>
  CapabilityBoundingSet=<%= Array(@capability_bounding_set).sort.uniq.join(" ") %>
  <% end -%>
+<% if @ambient_capabilities -%>
+AmbientCapabilities=<%= Array(@ambient_capabilities).sort.uniq.join(" ") %>
+<% end -%>
  <% if @protect_system -%>
  ProtectSystem=<%= @protect_system %>
  <% end -%>
author	Tom Hughes <tom@compton.nu>
	Wed, 8 Mar 2023 19:25:41 +0000 (19:25 +0000)
committer	Tom Hughes <tom@compton.nu>
	Wed, 8 Mar 2023 19:25:41 +0000 (19:25 +0000)
cookbooks/prometheus/recipes/smokeping.rb		patch \| blob \| history
cookbooks/prometheus/resources/exporter.rb		patch \| blob \| history
cookbooks/systemd/resources/service.rb		patch \| blob \| history
cookbooks/systemd/templates/default/service.erb		patch \| blob \| history