forked from alexoundos/articles
references to official systemd documentation
parent
57daae7466
commit
8121966ffc
21
article.md
21
article.md
|
@ -57,7 +57,7 @@ _Btw, if your systemd service code gets large and you want to wrap it into somet
|
|||
|
||||
### common hardening options (execution environment configuration)
|
||||
|
||||
Note, that many of these may cause your service malfunction or even crash. So, always test after applying them.
|
||||
These options are described in [official systemd execution environment configuration](https://www.freedesktop.org/software/systemd/man/systemd.exec.html). Note, that many of these may cause your service malfunction or even crash. So, always test after applying them.
|
||||
|
||||
```nix
|
||||
# (refer to [capabilities man page](https://www.man7.org/linux/man-pages/man7/capabilities.7.html))
|
||||
|
@ -89,6 +89,7 @@ ProtectKernelTunables = true;
|
|||
# some services need `ProtectProc = "invisible"` instead; this option implies `MountAPIVFS`
|
||||
ProtectProc = "invisible";
|
||||
|
||||
# entire file system hierarchy gets mounted read-only, except `/dev` `/proc` and `/sys`
|
||||
ProtectSystem = "strict";
|
||||
|
||||
# you need to exclude "AF_UNIX" if unix sockets are not used
|
||||
|
@ -104,17 +105,19 @@ RemoveIPC = true;
|
|||
|
||||
# allow general system service operations, except ~@ sets
|
||||
# (see full list of predefined system call sets with `systemd-analyze syscall-filter`)
|
||||
SystemCallFilter = [ "@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" "~@resources" ];
|
||||
SystemCallFilter = [ "@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" ];
|
||||
# this disables IPC (some services require IPC, so be careful)
|
||||
SystemCallFilter = [ "~@ipc" ];
|
||||
```
|
||||
|
||||
#### very specific hardening options (resource control unit settings)
|
||||
### some very specific hardening options (resource control unit settings)
|
||||
|
||||
When `PrivateDevices` is `true`, all non-pseudo /dev devices are not accessible. You may want to whitelist some. Note, this is not related to filesystems.
|
||||
These options are described in [official systemd resource control documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options).
|
||||
|
||||
When `PrivateDevices` is `true`, all non-pseudo `/dev` devices are not accessible. You may want to whitelist some. Note, this is not related to filesystems access.
|
||||
|
||||
```nix
|
||||
# allow pseudo devices
|
||||
# explicitly allow pseudo devices
|
||||
DevicePolicy = "closed";
|
||||
# explicit list of accessible devices
|
||||
DeviceAllow = [ "" ];
|
||||
|
@ -123,11 +126,11 @@ DeviceAllow = [ "" ];
|
|||
The following are self-explanatory:
|
||||
|
||||
```nix
|
||||
SocketBindAllow = "tcp:80";
|
||||
SocketBindDeny = "any";
|
||||
SocketBindAllow = "tcp:80";
|
||||
```
|
||||
|
||||
#### resources control (limits) for a systemd service
|
||||
#### resources limits for a systemd service
|
||||
|
||||
Systemd resource control directives allow you to limit resources provided to a service. For example, if `MemoryMax` limit is exceeded, OOM killer gets invoked.
|
||||
|
||||
|
@ -147,9 +150,7 @@ systemd.service = {
|
|||
|
||||
`MemoryMax` is the absolute limit. It is recommended to use `MemoryHigh` as the main control mechanism, because it allows to go above the limit, but the processses are heavily slowed down and memory is taken away aggressively according to systemd documentation.
|
||||
|
||||
Refer to [official documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options) for many other options.
|
||||
|
||||
#### blocking any network connections except localhost
|
||||
#### blocking all network connections except localhost
|
||||
|
||||
This is appropriate, for example, if a service communicates with outside world via proxy (like `nginx`). And can be configured also with the help of systemd resource control directives, partially mentioned above.
|
||||
|
||||
|
|
Loading…
Reference in New Issue