Hi everyone,

I noticed that there are many systemd units which are shipped by various
packages which could be hardened, some further than they are currently and some
that could use some hardening in general.

For those who are unaware, systemd units support many options which can be used
to restrict privileges of the processes run by the service. Some of these
options include things like making specified paths inaccessible or read-only,
setting the no_new_privs flag, protecting kernel sysctls, preventing the loading
of kernel modules, applying a seccomp filter to restrict syscalls, and more. I
frequently reference systemd.exec(5)[1] and this page[2] for reference.

Many of these options are fairly easy to apply from a user perspective - a user
only needs to harden something like miniflux.service by overriding/settings via
'systemctl edit miniflux.service' (or manually editing
/etc/systemd/system/miniflux.service.d/override.conf). But, I want to propose an
initiative to set some of these options by default for systemd units shipped in

Care must be taken though, as some of these options may end up breaking some
functionality that could be expected by users. An example of this may be if the
package maintainer made the root filesystem read-only for a service except for
its private /var/lib, but a user was using an entirely different directory for
the service's read-writable data. Something like this may need to be
communicated via post-installation messages or simply left out by default,
depending on the circumstances. On the other hand, there are many options like
restricting syscalls via SystemCallFilter=@system-service or restricting
privilege escalation via NoNewPrivileges=true that I think are generally safe to
apply, but each service is different and needs to be handled and tested

As for getting units updated, I think a good place to start would be to create a
new tracker bug for identifying packages providing systemd units that could be
improved in this regard, and each bug filed could include recommendations for
some of the more common options like ProtectSystem=, ProtectHome=,
ProtectDevices=, and others.

What do you think?

[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html
[2] https://docs.arbitrary.ch/security/systemd.html

Attachment: signature.asc
Description: PGP signature

Reply via email to