From: Arvin Schnell Date: Wed, 28 Apr 2021 08:18:28 +0000 (+0200) Subject: - added systemd sandboxing for services X-Git-Tag: v0.9.1~16^2~1 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=d884cea34cfe2cb20b0b25683e30b7cb385ca960;p=thirdparty%2Fsnapper.git - added systemd sandboxing for services --- diff --git a/data/boot.service b/data/boot.service index da5966e7..2496143b 100644 --- a/data/boot.service +++ b/data/boot.service @@ -5,3 +5,14 @@ ConditionPathExists=/etc/snapper/configs/root [Service] Type=oneshot ExecStart=/usr/bin/snapper --config root create --cleanup-algorithm number --description "boot" + +CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE +LockPersonality=true +NoNewPrivileges=false +PrivateNetwork=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelTunables=true +RestrictAddressFamilies=AF_UNIX +RestrictRealtime=true diff --git a/data/cleanup.service b/data/cleanup.service index cb78e93a..f2180d0c 100644 --- a/data/cleanup.service +++ b/data/cleanup.service @@ -8,3 +8,14 @@ Type=simple ExecStart=/usr/lib/snapper/systemd-helper --cleanup IOSchedulingClass=idle CPUSchedulingPolicy=idle + +CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE +LockPersonality=true +NoNewPrivileges=false +PrivateNetwork=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelTunables=true +RestrictAddressFamilies=AF_UNIX +RestrictRealtime=true diff --git a/data/snapperd.service b/data/snapperd.service index cad16205..bb725850 100644 --- a/data/snapperd.service +++ b/data/snapperd.service @@ -6,3 +6,14 @@ Documentation=man:snapperd(8) Type=dbus BusName=org.opensuse.Snapper ExecStart=/usr/sbin/snapperd + +CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE +LockPersonality=true +NoNewPrivileges=false +PrivateNetwork=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelTunables=true +RestrictAddressFamilies=AF_UNIX +RestrictRealtime=true diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt new file mode 100644 index 00000000..143e5dcb --- /dev/null +++ b/data/systemd-sandboxing.txt @@ -0,0 +1,21 @@ + +Notes about systemd sandboxing +------------------------------ + +CapabilityBoundingSet=CAP_SYS_ADMIN is needed to get the btrfs default +subvolume id. + +ProtectClock=true breaks LVM - strange. + +CAP_SYS_MODULE is needed for LVM (creating snapshots, loads +dm_snapshot). + +ProtectKernelModules=true breaks LVM. + +CapabilityBoundingSet=CAP_SYS_NICE is also needed by LVM. + +ProtectHome=true breaks diff for LVM. + +SystemCallFilter=@mount breaks almost everything with older systemd, +e.g. on SLE15 SP1. + diff --git a/data/timeline.service b/data/timeline.service index 565810f7..5302fcd7 100644 --- a/data/timeline.service +++ b/data/timeline.service @@ -7,3 +7,13 @@ Documentation=man:snapper(8) man:snapper-configs(5) Type=simple ExecStart=/usr/lib/snapper/systemd-helper --timeline +CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE +LockPersonality=true +NoNewPrivileges=false +PrivateNetwork=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelTunables=true +RestrictAddressFamilies=AF_UNIX +RestrictRealtime=true diff --git a/package/snapper.changes b/package/snapper.changes index 684eafd0..6938a90b 100644 --- a/package/snapper.changes +++ b/package/snapper.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Apr 28 10:17:14 CEST 2021 - aschnell@suse.com + +- added systemd sandboxing for services + ------------------------------------------------------------------- Mon Apr 19 09:56:40 CEST 2021 - aschnell@suse.com