-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathguide.conf
206 lines (170 loc) · 9.66 KB
/
guide.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
# Most comments are from systemd.exec(5) and systemd.resource-control(5)
[Service]
##############
# Networking #
##############
# If true, sets up a new network namespace for the executed
# processes and configures only the loopback network device "lo" inside it. No other
# network devices will be available to the executed process. This is useful to turn off
# network access by the executed process.
PrivateNetwork=yes
# Restricts the set of socket address families accessible to the processes of this unit.
# See address_families(7) for a list and description of each address family.
RestrictAddressFamilies=AF_UNIX
# If true, turns on IPv4 and IPv6 network traffic accounting for
# packets sent or received by the unit. ... all IPv4 and IPv6
# sockets created by any process of the unit are accounted for.
IPAccounting=yes
# Turn on address range network traffic filtering for IP packets sent and received over
# AF_INET and AF_INET6 sockets.
# IPAddressAllow= service does not require access to any IP addresses
IPAddressDeny=any
###############
# File system #
###############
# Note that the effect of these settings may be undone by privileged processes. In order to
# set up an effective sandboxed environment for a unit it is thus recommended to combine
# these settings with either CapabilityBoundingSet=~CAP_SYS_ADMIN or
# SystemCallFilter=~@mount.
# Takes a boolean argument or the special values "read-only" or "tmpfs". If true, the
# directories /home, /root, and /run/user are made inaccessible and empty for processes
# invoked by this unit. If set to "read-only", the three directories are made read-only
# instead. If set to "tmpfs", temporary file systems are mounted on the three directories
# in read-only mode. ...
# It is recommended to enable this setting for all long-running services (in particular
# network-facing ones), to ensure they cannot get access to private user data, unless the
# services actually require access to the user's private data.
ProtectHome=yes
# Takes a boolean argument or the special values "full" or "strict". If true, mounts the
# /usr and the boot loader directories (/boot and /efi) read-only for processes invoked by
# this unit. If set to "full", the /etc directory is mounted read-only, too. If set to
# "strict" the entire file system hierarchy is mounted read-only, except for the API file
# system subtrees /dev, /proc and /sys (protect these directories using PrivateDevices=,
# ProtectKernelTunables=, ProtectControlGroups=). It is recommended to enable this setting
# for all long-running services, unless they are involved with system updates or need to
# modify the operating system in other ways.
ProtectSystem=strict
# Sets up a new file system namespace for executed processes. These options may be used to
# limit access a process might have to the file system hierarchy.
ReadWritePaths=-/example/path
# If true, sets up a new file system namespace for the executed
# processes and mounts private /tmp and /var/tmp directories inside it that is not shared
# by processes outside of the namespace. This is useful to secure access to temporary files
# of the process, but makes sharing between processes via /tmp or /var/tmp impossible.
PrivateTmp=yes
###################
# User separation #
###################
# If true, sets up a new user namespace for the executed
# processes and configures a minimal user and group mapping, that maps the "root" user and
# group as well as the unit's own user and group to themselves and everything else to the
# "nobody" user and group. This is useful to securely detach the user and group databases
# used by the unit from the rest of the system, and thus to create an effective sandbox
# environment.
# PrivateUsers= service runs as root
# If set, a UNIX user and group pair is allocated dynamically
# when the unit is started, and released as soon as it is stopped.
# DynamicUser= service runs as root
###########
# Devices #
###########
# If true, sets up a new /dev mount for the executed processes
# and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as
# the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda, system memory
# /dev/mem, system ports /dev/port and others. This is useful to securely turn off physical
# device access by the executed process.
PrivateDevices=yes
# Control access to specific device nodes by the executed processes. Takes two
# space-separated strings: a device node specifier followed by a combination of r, w, m to
# control reading, writing, or creation of the specific device node(s) by the unit (mknod),
# respectively.
# The device node specifier is either a path to a device node in the file system, starting
# with /dev/, or a string starting with either "char-" or "block-" followed by a device
# group name, as listed in /proc/devices.
DeviceAllow=/dev/exampledevice
##########
# Kernel #
##########
# If true, kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger,
# /proc/latency_stats, /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be
# made read-only to all processes of the unit. ... Few services need to write to these
# at runtime; it is hence recommended to turn this on for most services.
ProtectKernelTunables=yes
# If true, explicit module loading will be denied.
ProtectKernelModules=yes
# If true, access to the kernel log ring buffer will be denied.
# It is recommended to turn this on for most services that do not need to read from or
# write to the kernel log ring buffer.
ProtectKernelLogs=yes
########
# Misc #
########
# Controls which capabilities to include in the capability bounding set for the executed
# process. See capabilities(7) for details.
CapabilityBoundingSet=
# Ambient capability sets are useful if you want to execute a process as a non-privileged
# user but still want to give it some capabilities.
# AmbientCapabilities= service runs as root
# If true, ensures that the service process and all its children
# can never gain new privileges through execve() (e.g. via setuid or setgid bits, or
# filesystem capabilities). This is the simplest and most effective way to ensure that a
# process and its children can never elevate privileges again.
NoNewPrivileges=yes
# When set, sets up a new UTS namespace for the executed
# processes. In addition, changing hostname or domainname is prevented.
ProtectHostname=yes
# If set, writes to the hardware clock or system clock will be
# denied. It is recommended to turn this on for most services that do not need modify the
# clock.
ProtectClock=yes
# Except for container managers no services should require write access to the control
# groups hierarchies; it is hence recommended to turn this on for most services.
ProtectControlGroups=yes
# Restricts access to Linux namespace functionality for the processes of this unit.
RestrictNamespaces=yes
# If set, locks down the personality(2) system call so that the
# kernel execution domain may not be changed from the default or the personality selected
# with Personality= directive. This may be useful to improve security, because odd
# personality emulations may be poorly tested and source of vulnerabilities.
LockPersonality=yes
# This option improves service security, as it makes harder for software
# exploits to change running code dynamically. However, the protection can be circumvented,
# if the service can write to a filesystem, which is not mounted with noexec (such as
# /dev/shm), or it can use memfd_create(). This can be prevented by making such file
# systems inaccessible to the service (e.g. InaccessiblePaths=/dev/shm) and installing
# further system call filters (SystemCallFilter=~memfd_create).
MemoryDenyWriteExecute=yes
# If set, any attempts to enable realtime scheduling in a process of the unit are refused.
# ... Realtime
# scheduling policies may be used to monopolize CPU time for longer periods of time, and
# may hence be used to lock up or otherwise trigger Denial-of-Service situations on the
# system. It is hence recommended to restrict access to realtime scheduling to the few
# programs that actually require them.
RestrictRealtime=yes
# If set, any attempts to set the set-user-ID (SUID) or
# set-group-ID (SGID) bits on files or directories will be denied. ... As the
# SUID/SGID bits are mechanisms to elevate privileges, and allows users to acquire the
# identity of other users, it is recommended to restrict creation of SUID/SGID files to the
# few programs that actually require them.
RestrictSUIDSGID=yes
# If set, all System V and POSIX IPC objects owned by the user
# and group the processes of this unit are run as are removed when the unit is stopped.
# This setting only has an effect if at least one of User=, Group= and DynamicUser= are
# used. It has no effect on IPC objects owned by the root user.
# RemoveIPC= service runs as root
################
# System calls #
################
# Use systemd-analyze syscall-filter to list the actual list of
# system calls in each filter. ... If this setting is used, all system
# calls executed by the unit processes except for the listed ones will result in immediate
# process termination with the SIGSYS signal (whitelisting).
# If the first character of the list is "~", the effect is inverted: only the listed
# system calls will result in immediate process termination (blacklisting).
SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
# Takes a space-separated list of architecture identifiers to include in the system call
# filter. ... The special identifier native implicitly maps to the native
# architecture of the system (or more precisely: to the architecture the system manager is
# compiled for).
SystemCallArchitectures=native