From 43532e8349aa02a7317ec760f246815267bd6953 Mon Sep 17 00:00:00 2001 From: James Valleroy Date: Tue, 20 Sep 2022 13:08:05 -0400 Subject: [PATCH] janus: Enable systemd sandboxing Helps #299. Tests: - janus functional tests pass. - Sandbox coverage for janus is 81%. Signed-off-by: James Valleroy Reviewed-by: Sunil Mohan Adapa --- .../system/janus.service.d/freedombox.conf | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 plinth/modules/janus/data/usr/lib/systemd/system/janus.service.d/freedombox.conf diff --git a/plinth/modules/janus/data/usr/lib/systemd/system/janus.service.d/freedombox.conf b/plinth/modules/janus/data/usr/lib/systemd/system/janus.service.d/freedombox.conf new file mode 100644 index 000000000..ff39fdff1 --- /dev/null +++ b/plinth/modules/janus/data/usr/lib/systemd/system/janus.service.d/freedombox.conf @@ -0,0 +1,25 @@ +[Service] +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_KILL CAP_NET_BIND_SERVICE CAP_NET_RAW CAP_LINUX_IMMUTABLE CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_SYS_BOOT CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_SYS_NICE CAP_SYS_RESOURCE +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateMounts=yes +PrivateTmp=yes +ProtectControlGroups=yes +ProtectClock=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectSystem=strict +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources +SystemCallFilter=~@privileged +SystemCallErrorNumber=EPERM