dist: harden systemd service unit #276
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
With this patch the systemd service will now run in a hardened sandbox that limits the kinds of subsystems available to the unit. This improves the overall security of the system, as nextcloud-spreed-signaling becomes almost pointless to exploit. The most notable changes include: - The entire fie system is mounted read-only with ProtectSystem=strict - No binaries are executable, apart from /usr/bin/signaling, with NoExecPaths=/ and ExecPaths=/usr/bin/signaling - The service cannot see any user on the system apart from the one that is running the process, with PrivateUsers=yes - Most of the /proc subsystem is inaccessible, and things like system stats may be unavailabe, with ProcSubset=pid - All home directories are inaccessible, with ProtectHome=yes - The kinds of permitted system calls are limited, via SystemCallFilter= I highly recommend you to read the systemd.exec(5) manual page to fully understand what these options do and how they can protect the system. https://www.freedesktop.org/software/systemd/man/systemd.exec.html
|
ping @morph027 who provided the initial systemd service |
|
Will add it to my personal instance for testing....thanks for providing and pinging! |
|
@morph027 did you get a chance to test this? |
|
Ah, thanks for pinging. Works so far. Only thing i noticed is that my systemd might be a bit too old for some features. However, it still works. |
|
Thanks for the feedback. |
|
Please note that `ProcSubset` is quite restrictive, and as the
systemd.exec(5) manpage says:
Note that Linux exposes various kernel APIs via /proc/, which are
made unavailable with this setting. Since these APIs are used
frequently this option is useful only in a few, specific cases, and is
not suitable for most non-trivial programs.
In my experience "most non-trivial programs" has not been accurate, and
I have used the hardening option on various services without issues,
but as Morph hasn't been able to test the option I think it might be
appropriate to keep this in mind when dealing with new bug reports.
@fancycode, does this project rely on /proc Linux APIs? In any case,
thanks for merging :D
…--
OpenPGP key: 66DE F152 8299 0C21 99EF A801 A8A1 28A8 AB1C EE49
|
mwalbeck
added a commit
to mwalbeck/docker-nextcloud-spreed-signaling
that referenced
this pull request
Aug 6, 2022
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [strukturag/nextcloud-spreed-signaling](https://github.com/strukturag/nextcloud-spreed-signaling) | major | `v0.5.0` -> `v1.0.0` | --- ### Release Notes <details> <summary>strukturag/nextcloud-spreed-signaling</summary> ### [`v1.0.0`](https://github.com/strukturag/nextcloud-spreed-signaling/releases/tag/v1.0.0) [Compare Source](strukturag/nextcloud-spreed-signaling@v0.5.0...v1.0.0) ##### Added - Clustering support. [#​281](strukturag/nextcloud-spreed-signaling#281) - Send initial "welcome" message when clients connect. [#​288](strukturag/nextcloud-spreed-signaling#288) - Support hello auth version "2.0" with JWT. [#​251](strukturag/nextcloud-spreed-signaling#251) - dist: add systemd sysusers file. [#​275](strukturag/nextcloud-spreed-signaling#275) - Add more tests. [#​292](strukturag/nextcloud-spreed-signaling#292) - Add tests for virtual sessions. [#​295](strukturag/nextcloud-spreed-signaling#295) - Implement per-backend session limit for clusters. [#​296](strukturag/nextcloud-spreed-signaling#296) ##### Changed - Don't run "go mod tidy" when building. [#​269](strukturag/nextcloud-spreed-signaling#269) - Bump sphinx from 5.0.0 to 5.0.1 in /docs [#​270](strukturag/nextcloud-spreed-signaling#270) - Bump sphinx from 5.0.1 to 5.0.2 in /docs [#​277](strukturag/nextcloud-spreed-signaling#277) - Move common etcd code to own class. [#​282](strukturag/nextcloud-spreed-signaling#282) - Support arbitrary capabilities values. [#​287](strukturag/nextcloud-spreed-signaling#287) - dist: harden systemd service unit. [#​276](strukturag/nextcloud-spreed-signaling#276) - Update to Go module version of github.com/golang-jwt/jwt [#​289](strukturag/nextcloud-spreed-signaling#289) - Disconnect sessions with the same room session id synchronously. [#​294](strukturag/nextcloud-spreed-signaling#294) - Bump google.golang.org/grpc from 1.47.0 to 1.48.0 [#​297](strukturag/nextcloud-spreed-signaling#297) - Update to github.com/pion/sdp v3.0.5 [#​301](strukturag/nextcloud-spreed-signaling#301) - Bump sphinx from 5.0.2 to 5.1.1 in /docs [#​303](strukturag/nextcloud-spreed-signaling#303) - make: Include vendored dependencies in tarball. [#​300](strukturag/nextcloud-spreed-signaling#300) - docs: update and pin dependencies. [#​305](strukturag/nextcloud-spreed-signaling#305) - Bump actions/upload-artifact from 2 to 3 [#​307](strukturag/nextcloud-spreed-signaling#307) - Bump actions/download-artifact from 2 to 3 [#​308](strukturag/nextcloud-spreed-signaling#308) - Bump google.golang.org/protobuf from 1.28.0 to 1.28.1 [#​306](strukturag/nextcloud-spreed-signaling#306) - CI: Also test with Golang 1.19 [#​310](strukturag/nextcloud-spreed-signaling#310) ##### Fixed - Fix check for async room messages received while not joined to a room. [#​274](strukturag/nextcloud-spreed-signaling#274) - Fix testing etcd server not starting up if etcd is running on host. [#​283](strukturag/nextcloud-spreed-signaling#283) - Fix CI issues on slow CPUs. [#​290](strukturag/nextcloud-spreed-signaling#290) - Fix handling of "unshareScreen" messages and add test. [#​293](strukturag/nextcloud-spreed-signaling#293) - Fix Read The Ddocs builds. [#​302](strukturag/nextcloud-spreed-signaling#302) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzMi4xMzUuMSIsInVwZGF0ZWRJblZlciI6IjMyLjEzNS4xIn0=--> Co-authored-by: Magnus Walbeck <[email protected]> Reviewed-on: https://git.walbeck.it/walbeck-it/docker-nextcloud-spreed-signaling/pulls/207 Co-authored-by: renovate-bot <[email protected]> Co-committed-by: renovate-bot <[email protected]>
This was referenced Aug 19, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
With this patch the systemd service will now run in a hardened sandbox that limits the kinds of subsystems available to the unit. This improves the overall security of the system, as nextcloud-spreed-signaling becomes almost pointless to exploit.
The most notable changes include:
ProtectSystem=strict/usr/bin/signaling, withNoExecPaths=/andExecPaths=/usr/bin/signalingPrivateUsers=yes/procsubsystem is inaccessible, and things like system stats may be unavailabe, withProcSubset=pidProtectHome=yesSystemCallFilter=I highly recommend you to read the systemd.exec(5) manual page to fully understand what these options do and how they can protect the system.
Unfortunately I haven't been running nextcloud-spreed-signaling in a while, and I can't currently check that these option do not break functionality. I have tested this in a limited environment and it seems that everything still works fine, but it would be better to also check that e.g. the Janus integration is still functional in this hardened sandbox.