1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 09:21:26 +03:00
Commit Graph

27 Commits

Author SHA1 Message Date
Lennart Poettering
6489ccfe48 units: make use of @reboot and @swap in our long-running service SystemCallFilter= settings
Tighten security up a bit more.
2017-02-09 16:12:03 +01:00
Lennart Poettering
b6c7278c38 units: turn on ProtectKernelModules= for most long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
c7fb922d62 units: switch on ProtectSystem=strict for our long running services
Let's step up the protection a notch
2017-02-09 16:12:03 +01:00
Lennart Poettering
3c19d0b46b units: restrict namespace for a good number of our own services
Basically, we turn it on for most long-running services, with the
exception of machined (whose child processes need to join containers
here and there), and importd (which sandboxes tar in a CLONE_NEWNET
namespace). machined is left unrestricted, and importd is restricted to
use only "net"
2017-02-09 16:12:03 +01:00
Lennart Poettering
7f396e5f66 units: set SystemCallArchitectures=native on all our long-running services 2017-02-09 16:12:03 +01:00
Lennart Poettering
0c28d51ac8 units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.

Specifically:

- Turn on RestrictRealtime=yes for all of them

- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
  them

- Turn on RestrictAddressFamilies= for all of them, but different sets of
  address families for each

Also, always order settings in the unit files, that the various sandboxing
features are close together.

Add a couple of missing, older settings for a numbre of unit files.

Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
2016-09-25 10:52:57 +02:00
Lennart Poettering
4e069746fe units: tighten system call filters a bit
Take away kernel keyring access, CPU emulation system calls and various debug
system calls from the various daemons we have.
2016-06-13 16:25:54 +02:00
Topi Miettinen
40093ce5dd units: add a basic SystemCallFilter (#3471)
Add a line
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
for daemons shipped by systemd. As an exception, systemd-timesyncd
needs @clock system calls and systemd-localed is not privileged.
ptrace(2) is blocked to prevent seccomp escapes.
2016-06-09 09:32:04 +02:00
Topi Miettinen
40652ca479 units: enable MemoryDenyWriteExecute (#3459)
Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute.

Closes: #3459
2016-06-08 14:23:37 +02:00
Lennart Poettering
c2fc2c2560 units: increase watchdog timeout to 3min for all our services
Apparently, disk IO issues are more frequent than we hope, and 1min
waiting for disk IO happens, so let's increase the watchdog timeout a
bit, for all our services.

See #1353 for an example where this triggers.
2015-09-29 21:55:51 +02:00
Kay Sievers
4b16233e59 timesyncd: enable timesyncd in virtual machines
On Fri, Mar 13, 2015 at 8:25 PM, Michael Marineau <michael.marineau@coreos.com> wrote:
> Currently systemd-timesyncd.service includes
> ConditionVirtualization=no, disabling it in both containers and
> virtual machines. Each VM platform tends to deal with or ignore the
> time problem in their own special ways, KVM/QEMU has the kernel time
> source kvm-clock, Xen has had different schemes over the years, VMware
> expects a userspace daemon sync the clock, and other platforms are
> content to drift with the wind as far as I can tell.
>
> I don't know of a robust way to know if a platform needs a little
> extra help from userspace to keep the clock sane or not but it seems
> generally safer to try than to risk drifting. Does anyone know of a
> reason to leave timesyncd off by default? Otherwise switching to
> ConditionVirtualization=!container should be reasonable.
2015-03-15 19:44:59 +01:00
Lennart Poettering
a24111cea6 Revert "units: add SecureBits"
This reverts commit 6a716208b3.

Apparently this doesn't work.

http://lists.freedesktop.org/archives/systemd-devel/2015-February/028212.html
2015-02-11 18:28:06 +01:00
Topi Miettinen
6a716208b3 units: add SecureBits
No setuid programs are expected to be executed, so add
SecureBits=noroot noroot-locked
to unit files.
2015-02-11 17:33:36 +01:00
Kay Sievers
01b85ba3ad timesyncd: do not start in virtualized environments 2014-06-17 03:34:09 +02:00
Lennart Poettering
689d781b87 units: minor cleanups 2014-06-17 02:43:44 +02:00
Lennart Poettering
ecde7065f7 units: rebuild /etc/passwd, the udev hwdb and the journal catalog files on boot
Only when necessary of course, nicely guarded with the new
ConditionNeedsUpdate= condition we added.
2014-06-13 13:26:32 +02:00
Lennart Poettering
55152b6ede units: pull in time-sync.target from systemd-timedated.service
After all, that's what we document for time-sync.target in
systemd.special(5), hence let's follow our own suggestion.
2014-06-06 16:20:33 +02:00
Lennart Poettering
1b8689f949 core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only
Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.
2014-06-04 18:12:55 +02:00
Lennart Poettering
417116f234 core: add new ReadOnlySystem= and ProtectedHome= settings for service units
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for
a service.

ProtectedHome= uses fs namespaces to mount /home and /run/user
inaccessible or read-only for a service.

This patch also enables these settings for all our long-running services.

Together they should be good building block for a minimal service
sandbox, removing the ability for services to modify the operating
system or access the user's private data.
2014-06-03 23:57:51 +02:00
Kay Sievers
d636d37679 timesyncd: only update stamp file when we are synchronized
Create initial stamp file with compiled-in time to prevent bootups
with clocks in the future from storing invalid timestamps.

At shutdown, only update the timestamp if we got an authoritative
time to store.
2014-05-24 08:04:56 +08:00
Kay Sievers
52ffb444cb timesyncd: order after tmpfiles to get a working network monitor 2014-05-22 07:57:33 +09:00
Lennart Poettering
ece6e766cf timesyncd: save clock to disk everytime we get an NTP fix, and bump clock at boot using this
This is useful to make sure the system clock stays monotonic even on
systems that lack an RTC.

Also, why we are at it, also use the systemd release time for bumping
the clock, since it's a slightly less bad than starting with jan 1st,
1970.

This also moves timesyncd into the early bootphase, in order to make
sure this initial bump is guaranteed to have finished by the time we
start real daemons which might write to the file systemd and thus
shouldn't leave 1970's timestamps all over the place...
2014-05-21 00:23:39 +09:00
Lennart Poettering
9f7115498b timesyncd: enable watchdog support 2014-05-18 20:52:49 +09:00
Lennart Poettering
a349eb10d3 timesyncd: run timesyncd as unpriviliged user "systemd-timesync" (but still with CAP_SYS_TIME) 2014-05-18 20:52:49 +09:00
Lennart Poettering
e3ad07d21c timesyncd: limit capabilities to CAP_SYS_TIME 2014-05-15 18:55:19 +02:00
Tom Gundersen
0968137439 timesyncd: start after networkd
This is needed for the network monitor to work (as it requires networkd to set up the correct directories first).
2014-05-13 12:44:22 +02:00
Kay Sievers
a91df40e69 timesyncd: add unit and man page 2014-04-29 09:51:53 +02:00