From dfe2dc343afd3bb48e385e935a50fff114ed36be Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Tue, 8 Nov 2022 20:20:25 +0000 Subject: [PATCH] Add some extra sandboxing options to systemd_service --- cookbooks/systemd/resources/service.rb | 33 +++++++-- .../systemd/templates/default/service.erb | 73 +++++++++++++++++-- 2 files changed, 92 insertions(+), 14 deletions(-) diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb index aa575189d..ae09b7b7d 100644 --- a/cookbooks/systemd/resources/service.rb +++ b/cookbooks/systemd/resources/service.rb @@ -58,16 +58,37 @@ property :standard_error, String, property :success_exit_status, [Integer, String, Array] property :restart, String, :is => %w[on-success on-failure on-abnormal on-watchdog on-abort always] -property :private_tmp, [true, false] -property :private_devices, [true, false] -property :private_network, [true, false] -property :protect_system, [TrueClass, FalseClass, String] -property :protect_home, [TrueClass, FalseClass, String] +property :protect_proc, String, + :is => %w[noaccess invisible ptraceable default] +property :proc_subset, String, + :is => %w[all pid] +property :capability_bounding_set, [String, Array] +property :no_new_privileges, [true, false] +property :protect_system, [true, false, String] +property :protect_home, [true, false, String] property :read_write_paths, [String, Array] property :read_only_paths, [String, Array] property :inaccessible_paths, [String, Array] +property :private_tmp, [true, false] +property :private_devices, [true, false] +property :private_network, [true, false] +property :private_ipc, [true, false] +property :private_users, [true, false] +property :protect_hostname, [true, false] +property :protect_clock, [true, false] +property :protect_kernel_tunables, [true, false] +property :protect_kernel_modules, [true, false] +property :protect_kernel_logs, [true, false] +property :protect_control_groups, [true, false] property :restrict_address_families, [String, Array] -property :no_new_privileges, [true, false] +property :restrict_namespaces, [true, false, String, Array] +property :lock_personality, [true, false] +property :memory_deny_write_execute, [true, false] +property :restrict_realtime, [true, false] +property :restrict_suid_sgid, [true, false] +property :remove_ipc, [true, false] +property :system_call_filter, [String, Array] +property :system_call_architectures, [String, Array] property :tasks_max, Integer property :timeout_start_sec, Integer property :timeout_stop_sec, Integer diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb index 4fba56c0f..5f6e787e5 100644 --- a/cookbooks/systemd/templates/default/service.erb +++ b/cookbooks/systemd/templates/default/service.erb @@ -105,14 +105,17 @@ StandardOutput=<%= @standard_output %> <% if @standard_error -%> StandardError=<%= @standard_error %> <% end -%> -<% if @private_tmp -%> -PrivateTmp=<%= @private_tmp %> +<% if @protect_proc -%> +ProtectProc=<%= @protect_proc %> <% end -%> -<% if @private_devices -%> -PrivateDevices=<%= @private_devices %> +<% if @proc_subset -%> +ProcSubset=<%= @proc_subset %> <% end -%> -<% if @private_network -%> -PrivateNetwork=<%= @private_network %> +<% if @no_new_privileges -%> +NoNewPrivileges=<%= @no_new_privileges %> +<% end -%> +<% if @capability_bounding_set -%> +CapabilityBoundingSet=<%= Array(@capability_bounding_set).join(" ") %> <% end -%> <% if @protect_system -%> ProtectSystem=<%= @protect_system %> @@ -129,11 +132,65 @@ ReadOnlyPaths=<%= Array(@read_only_paths).join(" ") %> <% if @inaccessible_paths -%> InaccessiblePaths=<%= Array(@inaccessible_paths).join(" ") %> <% end -%> +<% if @private_tmp -%> +PrivateTmp=<%= @private_tmp %> +<% end -%> +<% if @private_devices -%> +PrivateDevices=<%= @private_devices %> +<% end -%> +<% if @private_network -%> +PrivateNetwork=<%= @private_network %> +<% end -%> +<% if @private_ipc -%> +PrivateIPC=<%= @private_ipc %> +<% end -%> +<% if @private_users -%> +PrivateUsers=<%= @private_users %> +<% end -%> +<% if @protect_hostname -%> +ProtectHostname=<%= @protect_hostname %> +<% end -%> +<% if @protect_clock -%> +ProtectClock=<%= @protect_clock %> +<% end -%> +<% if @protect_kernel_tunables -%> +ProtectKernelTunables=<%= @protect_kernel_tunables %> +<% end -%> +<% if @protect_kernel_modules -%> +ProtectKernelModules=<%= @protect_kernel_modules %> +<% end -%> +<% if @protect_kernel_logs -%> +ProtectKernelLogs=<%= @protect_kernel_logs %> +<% end -%> +<% if @protect_control_groups -%> +ProtectControlGroups=<%= @protect_control_groups %> +<% end -%> <% if @restrict_address_families -%> RestrictAddressFamilies=<%= Array(@restrict_address_families).join(" ") %> <% end -%> -<% if @no_new_privileges -%> -NoNewPrivileges=<%= @no_new_privileges %> +<% if @restrict_namespaces -%> +RestrictNamespaces=<%= Array(@restrict_namespaces).join(" ") %> +<% end -%> +<% if @lock_personality -%> +LockPersonality=<%= @lock_personality %> +<% end -%> +<% if @memory_deny_write_execute -%> +MemoryDenyWriteExecute=<%= @memory_deny_write_execute %> +<% end -%> +<% if @restrict_realtime -%> +RestrictRealtime=<%= @restrict_realtime %> +<% end -%> +<% if @restrict_suid_sgid -%> +RestrictSUIDSGID=<%= @restrict_suid_sgid %> +<% end -%> +<% if @remove_ipc -%> +RemoveIPC=<%= @remove_ipc %> +<% end -%> +<% if @system_call_filter -%> +SystemCallFilter=<%= Array(@system_call_filter).join(" ") %> +<% end -%> +<% if @system_call_architectures -%> +SystemCallArchitectures=<%= Array(@system_call_architectures).join(" ") %> <% end -%> <% if @tasks_max -%> TasksMax=<%= @tasks_max %> -- 2.43.2