- added systemd sandboxing for services

diff --git a/data/boot.service b/data/boot.service
index da5966e71edb1a297cd857c2f3cbd92bacc2fef5..2496143b8b73ce6dcc45fe95d3cfcf376cff84fc 100644 (file)
--- a/data/boot.service
+++ b/data/boot.service
@@ -5,3 +5,14 @@ ConditionPathExists=/etc/snapper/configs/root
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/snapper --config root create --cleanup-algorithm number --description "boot"
+
+CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+LockPersonality=true
+NoNewPrivileges=false
+PrivateNetwork=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true

diff --git a/data/cleanup.service b/data/cleanup.service
index cb78e93a295089b2fc27d98df876efe75323dd81..f2180d0c9b90a90e61dcaa7dd90dbd45197544b6 100644 (file)
--- a/data/cleanup.service
+++ b/data/cleanup.service
@@ -8,3 +8,14 @@ Type=simple
 ExecStart=/usr/lib/snapper/systemd-helper --cleanup
 IOSchedulingClass=idle
 CPUSchedulingPolicy=idle
+
+CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+LockPersonality=true
+NoNewPrivileges=false
+PrivateNetwork=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true

diff --git a/data/snapperd.service b/data/snapperd.service
index cad16205b9d403bd4f265c9f32ccd5d943620cb7..bb72585043af40ae7bf55c14f1d7c13ff4460b29 100644 (file)
--- a/data/snapperd.service
+++ b/data/snapperd.service
@@ -6,3 +6,14 @@ Documentation=man:snapperd(8)
 Type=dbus
 BusName=org.opensuse.Snapper
 ExecStart=/usr/sbin/snapperd
+
+CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+LockPersonality=true
+NoNewPrivileges=false
+PrivateNetwork=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true

diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt
new file mode 100644 (file)
index 0000000..143e5dc
--- /dev/null
+++ b/data/systemd-sandboxing.txt
@@ -0,0 +1,21 @@
+
+Notes about systemd sandboxing
+------------------------------
+
+CapabilityBoundingSet=CAP_SYS_ADMIN is needed to get the btrfs default
+subvolume id.
+
+ProtectClock=true breaks LVM - strange.
+
+CAP_SYS_MODULE is needed for LVM (creating snapshots, loads
+dm_snapshot).
+
+ProtectKernelModules=true breaks LVM.
+
+CapabilityBoundingSet=CAP_SYS_NICE is also needed by LVM.
+
+ProtectHome=true breaks diff for LVM.
+
+SystemCallFilter=@mount breaks almost everything with older systemd,
+e.g. on SLE15 SP1.
+

diff --git a/data/timeline.service b/data/timeline.service
index 565810f7b2e53f6d1d1291bed473adeb2883ddc0..5302fcd74a511392b3c2c33a09b7ff9df0cee0bf 100644 (file)
--- a/data/timeline.service
+++ b/data/timeline.service
@@ -7,3 +7,13 @@ Documentation=man:snapper(8) man:snapper-configs(5)
 Type=simple
 ExecStart=/usr/lib/snapper/systemd-helper --timeline
 
+CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+LockPersonality=true
+NoNewPrivileges=false
+PrivateNetwork=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true

diff --git a/package/snapper.changes b/package/snapper.changes
index 684eafd0773870635d104e1501432d48cf5fee2c..6938a90bde665e4ce7baa151ece345470a36a701 100644 (file)
--- a/package/snapper.changes
+++ b/package/snapper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Apr 28 10:17:14 CEST 2021 - aschnell@suse.com
+
+- added systemd sandboxing for services
+
 -------------------------------------------------------------------
 Mon Apr 19 09:56:40 CEST 2021 - aschnell@suse.com