ProtectSystem=strict shouldn't take precedence over TemporaryFileSystem=/

[dechamps]

systemd version the issue has been seen with
247.3-1

Used distribution
Debian Unstable

Linux kernel version used (uname -a)
5.10.0-4-amd64 #1 SMP Debian 5.10.19-1 (2021-03-02) x86_64 GNU/Linux

Expected behaviour you didn't see

When using the following configuration:

ProtectSystem=strict
TemporaryFileSystem=/

I would have expected / to be an empty tmpfs, which is more secure than even ProtectSystem=strict (which only makes the host / read-only).

Unexpected behaviour you saw

TemporaryFileSystem=/ is ignored and the host / is accessible read-only from within the unit. This weakens security.

Steps to reproduce the problem

The following service:

[Service]
ExecStart=/bin/cat /proc/mounts

ProtectSystem=strict
TemporaryFileSystem=/
BindReadOnlyPaths=/bin /lib /lib64 /proc

Outputs mount information that shows the host / is accessible read-only. If the ProtectSystem=strict line is commented out, only the paths specified in BindPaths= are accessible.

Alternatively, one would way to improve on this situation could be to add another option to ProtectSystem=, which could be named e.g. inaccessible and would prevent all access (even read only) to paths that are not strictly required for typical programs to run.

The use case is as follows: I want to prevent services from reading top-level / directories that they have no business reading. For example stuff like /srv, /mnt, /boot, /media, /opt, etc. I want to use an allowlist to make sure that any new files/directories that may be created in the future under / will be inaccessible by default.

[dechamps]

I just realized that DynamicUser=yes forces ProtectSystem=strict, which makes this issue significantly worse, because that makes it impossible to combine TemporaryFileSystem=/ with DynamicUser=yes.

[bluca]

Yes I think it would make sense to have a mode that essentially does what nspawn --volatile already allows. Note that you don't want to mount /proc from the hosts like that, and also we likely want to only support usr-merged hierarchies, as non-usr-merged is legacy.

[dechamps]

Yes I think it would make sense to have a mode that essentially does what nspawn --volatile already allows

I didn't know about systemd-nspawn --volatile. After reading the manpage it indeed looks somewhat similar.

Note that you don't want to mount /proc from the hosts like that

Yeah, this was only to make cat /proc/mounts work though. Here's an even more minimal reproducer:

[Service]
ExecStart=/bin/ls -la /

ProtectSystem=strict
TemporaryFileSystem=/
BindReadOnlyPaths=/bin /lib /lib64 /usr

The output of ls will show the host's /, which is not what I want. If ProtectSystem=strict is commented out, ls will only list the four configured paths.

we likely want to only support usr-merged hierarchies

That's fine as long as I can still work around that using BindReadOnlyPaths=/bin or something similar.

[jraby]

Is there a workaround for this?

Using DynamicUser and TemporaryFilesystem=/ + a few bind mounts would be a great way to reduce the file system attack surface of some services.

I just stumbled upon this behavior and it’s honestly a real issue with no workaround yet. Would be good to have additional options to easily hide most of the files and folders a process has no business with.

[brandsimon]

systemd 250 works with PrivateUsers and TemporaryFileSystem, but ProtectSystem still invalidates TemporaryFileSystem.

$ systemd-run --user --quiet --pty -p PrivateUsers=yes -p PrivateMounts=yes -p TemporaryFileSystem=/ /usr/bin/ls /usr
run-u693.service: Failed to locate executable /usr/bin/ls: No such file or directory
run-u693.service: Failed at step EXEC spawning /usr/bin/ls: No such file or directory
$ systemd-run --user --quiet --pty -p PrivateUsers=yes -p PrivateMounts=yes -p ProtectSystem=strict -p TemporaryFileSystem=/ /usr/bin/ls /usr
bin  include  lib  lib64  local  sbin  share  src

I think there should be at least a warning, since the behavior is not obvious at all. In the worst case there could be information leak and a bigger attack surface.
For a pull requests, would it be okay to just ignore ProtectSystem if TemporaryFileSystem=/ is supplied?

[tmccombs]

For a pull requests, would it be okay to just ignore ProtectSystem if TemporaryFileSystem=/ is supplied?

or maybe change the order so that the ProtectSystem mount happens before the TemporaryFileSystem mount?