forked from alexoundos/articles
references to official systemd documentation
parent
57daae7466
commit
8121966ffc
21
article.md
21
article.md
|
@ -57,7 +57,7 @@ _Btw, if your systemd service code gets large and you want to wrap it into somet
|
||||||
|
|
||||||
### common hardening options (execution environment configuration)
|
### common hardening options (execution environment configuration)
|
||||||
|
|
||||||
Note, that many of these may cause your service malfunction or even crash. So, always test after applying them.
|
These options are described in [official systemd execution environment configuration](https://www.freedesktop.org/software/systemd/man/systemd.exec.html). Note, that many of these may cause your service malfunction or even crash. So, always test after applying them.
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
# (refer to [capabilities man page](https://www.man7.org/linux/man-pages/man7/capabilities.7.html))
|
# (refer to [capabilities man page](https://www.man7.org/linux/man-pages/man7/capabilities.7.html))
|
||||||
|
@ -89,6 +89,7 @@ ProtectKernelTunables = true;
|
||||||
# some services need `ProtectProc = "invisible"` instead; this option implies `MountAPIVFS`
|
# some services need `ProtectProc = "invisible"` instead; this option implies `MountAPIVFS`
|
||||||
ProtectProc = "invisible";
|
ProtectProc = "invisible";
|
||||||
|
|
||||||
|
# entire file system hierarchy gets mounted read-only, except `/dev` `/proc` and `/sys`
|
||||||
ProtectSystem = "strict";
|
ProtectSystem = "strict";
|
||||||
|
|
||||||
# you need to exclude "AF_UNIX" if unix sockets are not used
|
# you need to exclude "AF_UNIX" if unix sockets are not used
|
||||||
|
@ -104,17 +105,19 @@ RemoveIPC = true;
|
||||||
|
|
||||||
# allow general system service operations, except ~@ sets
|
# allow general system service operations, except ~@ sets
|
||||||
# (see full list of predefined system call sets with `systemd-analyze syscall-filter`)
|
# (see full list of predefined system call sets with `systemd-analyze syscall-filter`)
|
||||||
SystemCallFilter = [ "@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@setuid" "~@resources" ];
|
SystemCallFilter = [ "@system-service" "~@cpu-emulation" "~@debug" "~@keyring" "~@memlock" "~@obsolete" "~@privileged" "~@resources" "~@setuid" ];
|
||||||
# this disables IPC (some services require IPC, so be careful)
|
# this disables IPC (some services require IPC, so be careful)
|
||||||
SystemCallFilter = [ "~@ipc" ];
|
SystemCallFilter = [ "~@ipc" ];
|
||||||
```
|
```
|
||||||
|
|
||||||
#### very specific hardening options (resource control unit settings)
|
### some very specific hardening options (resource control unit settings)
|
||||||
|
|
||||||
When `PrivateDevices` is `true`, all non-pseudo /dev devices are not accessible. You may want to whitelist some. Note, this is not related to filesystems.
|
These options are described in [official systemd resource control documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options).
|
||||||
|
|
||||||
|
When `PrivateDevices` is `true`, all non-pseudo `/dev` devices are not accessible. You may want to whitelist some. Note, this is not related to filesystems access.
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
# allow pseudo devices
|
# explicitly allow pseudo devices
|
||||||
DevicePolicy = "closed";
|
DevicePolicy = "closed";
|
||||||
# explicit list of accessible devices
|
# explicit list of accessible devices
|
||||||
DeviceAllow = [ "" ];
|
DeviceAllow = [ "" ];
|
||||||
|
@ -123,11 +126,11 @@ DeviceAllow = [ "" ];
|
||||||
The following are self-explanatory:
|
The following are self-explanatory:
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
SocketBindAllow = "tcp:80";
|
|
||||||
SocketBindDeny = "any";
|
SocketBindDeny = "any";
|
||||||
|
SocketBindAllow = "tcp:80";
|
||||||
```
|
```
|
||||||
|
|
||||||
#### resources control (limits) for a systemd service
|
#### resources limits for a systemd service
|
||||||
|
|
||||||
Systemd resource control directives allow you to limit resources provided to a service. For example, if `MemoryMax` limit is exceeded, OOM killer gets invoked.
|
Systemd resource control directives allow you to limit resources provided to a service. For example, if `MemoryMax` limit is exceeded, OOM killer gets invoked.
|
||||||
|
|
||||||
|
@ -147,9 +150,7 @@ systemd.service = {
|
||||||
|
|
||||||
`MemoryMax` is the absolute limit. It is recommended to use `MemoryHigh` as the main control mechanism, because it allows to go above the limit, but the processses are heavily slowed down and memory is taken away aggressively according to systemd documentation.
|
`MemoryMax` is the absolute limit. It is recommended to use `MemoryHigh` as the main control mechanism, because it allows to go above the limit, but the processses are heavily slowed down and memory is taken away aggressively according to systemd documentation.
|
||||||
|
|
||||||
Refer to [official documentation](https://www.freedesktop.org/software/systemd/man/systemd.resource-control.html#Options) for many other options.
|
#### blocking all network connections except localhost
|
||||||
|
|
||||||
#### blocking any network connections except localhost
|
|
||||||
|
|
||||||
This is appropriate, for example, if a service communicates with outside world via proxy (like `nginx`). And can be configured also with the help of systemd resource control directives, partially mentioned above.
|
This is appropriate, for example, if a service communicates with outside world via proxy (like `nginx`). And can be configured also with the help of systemd resource control directives, partially mentioned above.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue