From 0ff9f261a10a51cc80225af7f0e873b6b8573f01 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 15 Nov 2022 18:31:07 +0000 Subject: [PATCH] Use default sandboxing for planet replication services --- cookbooks/planet/recipes/replication.rb | 49 ++++--------------------- 1 file changed, 7 insertions(+), 42 deletions(-) diff --git a/cookbooks/planet/recipes/replication.rb b/cookbooks/planet/recipes/replication.rb index 68868d192..85d49bc09 100644 --- a/cookbooks/planet/recipes/replication.rb +++ b/cookbooks/planet/recipes/replication.rb @@ -162,13 +162,8 @@ systemd_service "users-agreed" do user "planet" exec_start "/usr/local/bin/users-agreed" nice 10 - private_tmp true - private_devices true - protect_system "strict" - protect_home true + sandbox :enable_network => true read_write_paths "/store/planet/users_agreed" - restrict_address_families %w[AF_INET AF_INET6] - no_new_privileges true end systemd_timer "users-agreed" do @@ -181,13 +176,8 @@ systemd_service "users-deleted" do user "planet" exec_start "/usr/local/bin/users-deleted" nice 10 - private_tmp true - private_devices true - protect_system "strict" - protect_home true + sandbox :enable_network => true read_write_paths "/store/planet/users_deleted" - restrict_address_families %w[AF_INET AF_INET6] - no_new_privileges true end systemd_timer "users-deleted" do @@ -215,16 +205,11 @@ systemd_service "replication-changesets" do description "Changesets replication" user "planet" exec_start "/usr/local/bin/replicate-changesets /etc/replication/changesets.conf" - private_tmp true - private_devices true - protect_system "strict" - protect_home true + sandbox :enable_network => true read_write_paths [ "/run/replication", "/store/planet/replication/changesets" ] - restrict_address_families %w[AF_INET AF_INET6] - no_new_privileges true end systemd_timer "replication-changesets" do @@ -280,17 +265,12 @@ systemd_service "replication-minutely" do user "planet" working_directory "/etc/replication" exec_start "/usr/local/bin/replicate-minute" - private_tmp true - private_devices true - protect_system "strict" - protect_home true + sandbox :enable_network => true read_write_paths [ "/run/replication", "/store", "/var/lib/replication/minute" ] - restrict_address_families %w[AF_INET AF_INET6] - no_new_privileges true end systemd_timer "replication-minutely" do @@ -331,16 +311,11 @@ systemd_service "replication-hourly" do user "planet" exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/hour" environment "LD_PRELOAD" => "/opt/flush/flush.so" - private_tmp true - private_devices true - protect_system "strict" - protect_home true + sandbox :enable_network => true read_write_paths [ "/store/planet/replication/hour", "/var/lib/replication/hour" ] - restrict_address_families %w[AF_INET AF_INET6] - no_new_privileges true end systemd_timer "replication-hourly" do @@ -379,16 +354,11 @@ systemd_service "replication-daily" do user "planet" exec_start "/usr/local/bin/osmosis -q --merge-replication-files workingDirectory=/var/lib/replication/day" environment "LD_PRELOAD" => "/opt/flush/flush.so" - private_tmp true - private_devices true - protect_system "strict" - protect_home true + sandbox :enable_network => true read_write_paths [ "/store/planet/replication/day", "/var/lib/replication/day" ] - restrict_address_families %w[AF_INET AF_INET6] - no_new_privileges true end systemd_timer "replication-daily" do @@ -402,13 +372,8 @@ systemd_service "replication-cleanup" do description "Cleanup replication" user "planet" exec_start "/usr/local/bin/replicate-cleanup" - private_tmp true - private_devices true - private_network true - protect_system "strict" - protect_home true + sandbox true read_write_paths "/var/lib/replication" - no_new_privileges true end systemd_timer "replication-cleanup" do -- 2.43.2