diff --git a/article.md b/article.md index bde1a42..75af914 100644 --- a/article.md +++ b/article.md @@ -57,7 +57,7 @@ _Btw, if your systemd service code gets large and you want to wrap it into somet ### common hardening options (execution environment configuration) -Note, that many of these may cause your service malfunction or even crash. So, always test after applying them. +These options are described in [official systemd execution environment configuration](https://www.freedesktop.org/software/systemd/man/systemd.exec.html). Note, that many of these may cause your service malfunction or even crash. So, always test after applying them. ```nix # (refer to [capabilities man page](https://www.man7.org/linux/man-pages/man7/capabilities.7.html)) @@ -89,6 +89,7 @@ ProtectKernelTunables = true; # some services need `ProtectProc = "invisible"` instead; this option implies `MountAPIVFS` ProtectProc = "invisible"; +# entire file system hierarchy gets mounted read-only, except `/dev` `/proc` and `/sys` ProtectSystem = "strict"; # you need to exclude "AF_UNIX" if unix sockets are not used @@ -104,17 +105,19 @@ RemoveIPC = true; # allow general system service operations, except ~@ sets # (see full list of predefined system call sets with `systemd-analyze syscall-filter`) -SystemCallFilter = [ "@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" "~@resources" ]; +SystemCallFilter = [ "@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" ]; # this disables IPC (some services require IPC, so be careful) SystemCallFilter = [ "~@ipc" ]; ``` -#### very specific hardening options (resource control unit settings) +### some very specific hardening options (resource control unit settings) -When `PrivateDevices` is `true`, all non-pseudo /dev devices are not accessible. You may want to whitelist some. Note, this is not related to filesystems. +These options are described in [official systemd resource control documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options). + +When `PrivateDevices` is `true`, all non-pseudo `/dev` devices are not accessible. You may want to whitelist some. Note, this is not related to filesystems access. ```nix -# allow pseudo devices +# explicitly allow pseudo devices DevicePolicy = "closed"; # explicit list of accessible devices DeviceAllow = [ "" ]; @@ -123,11 +126,11 @@ DeviceAllow = [ "" ]; The following are self-explanatory: ```nix -SocketBindAllow = "tcp:80"; SocketBindDeny = "any"; +SocketBindAllow = "tcp:80"; ``` -#### resources control (limits) for a systemd service +#### resources limits for a systemd service Systemd resource control directives allow you to limit resources provided to a service. For example, if `MemoryMax` limit is exceeded, OOM killer gets invoked. @@ -147,9 +150,7 @@ systemd.service = { `MemoryMax` is the absolute limit. It is recommended to use `MemoryHigh` as the main control mechanism, because it allows to go above the limit, but the processses are heavily slowed down and memory is taken away aggressively according to systemd documentation. -Refer to [official documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options) for many other options. - -#### blocking any network connections except localhost +#### blocking all network connections except localhost This is appropriate, for example, if a service communicates with outside world via proxy (like `nginx`). And can be configured also with the help of systemd resource control directives, partially mentioned above.