systemd: enable systemd hardening features#7286
Conversation
|
I've added a reduced set of security settings, for users who need the fuse-mount-feature. |
c097d28 to
25a2e31
Compare
|
I've added a separate hardened service file. So the maintainer can choose between hardening and the fuse mount functionality. |
Stebalien
left a comment
There was a problem hiding this comment.
Some nits/questions, otherwise LGTM.
| ProtectKernelModules=true | ||
| ProtectKernelLogs=true | ||
| PrivateDevices=true | ||
| DevicePolicy=closed |
There was a problem hiding this comment.
This is implied by PrivateDevices, right?
There was a problem hiding this comment.
PrivateDevices will set DevicePolicy=closed, the reasoning for setting it explicitly is some older systemd-versions might support just the simpler DevicePolicy=closed but doesn't yet support PrivateDevices.
In this case PrivateDevices would be ignored and DevicePolicy=closed not set.
| # enable to specify a custom path see docs/environment-variables.md for further documentations | ||
| #Environment=IPFS_PATH=/custom/ipfs/path | ||
| # enable to specify a higher limit for open files/connections | ||
| #LimitNOFILE=1000000 |
There was a problem hiding this comment.
Given all these restrictions, will IPFS be able to set it's own file descriptor limits? If not, we should probably set this.
|
Thanks! |
Motivation
IPFS is a network-facing service, which just needs very limited access to the system itself outside of it's state-directory.
Systemd allows to do a lot of hardening to separate a network process from the system and reduce the attack surface.
This PR aims to enable all possible options for the latest systemd-version.