Permalink
Browse files

systemd: add sandboxing directives

This sandboxes the service in three ways:

* Remove all capabilities by emptying the capability bounding set and
  setting the no_new_privs bit. irqbalance drops capabilities during
  initialization anyways, and as far as I can tell nothing before that
  step requires capabilities, so we might as well drop them even
  earlier.

* Mount the entire file system except for /proc/irq read-only. /proc/irq
  is the only directory that irqbalance should need to write to
  (assuming that no PID file is configured).

* Disable most communication with the outside world by preventing access
  to address families other than unix(7) (e. g. ip(7), ipv6(7)) and
  hiding sockets in the /run directory from it. (Due to the file system
  restrictions, the daemon cannot allocate new socket files either, but
  the abstract namespace remains accessible for communication with
  irqbalance-ui.)

This is not a complete sandbox, but intended to strike a balance between
security and a readable, not overly long unit file.

Signed-off-by: Lucas Werkmeister <mail@lucaswerkmeister.de>
  • Loading branch information...
lucaswerkmeister committed Jun 7, 2018
1 parent 93e9429 commit 5deac3d0acdd69b458f0103991f3d0505e0e2edf
Showing with 6 additions and 0 deletions.
  1. +6 −0 misc/irqbalance.service
@@ -7,6 +7,12 @@ ConditionVirtualization=!container
[Service]
EnvironmentFile=/path/to/irqbalance.env
ExecStart=/usr/sbin/irqbalance --foreground $IRQBALANCE_ARGS
CapabilityBoundingSet=
NoNewPrivileges=yes
ReadOnlyPaths=/
ReadWritePaths=/proc/irq
RestrictAddressFamilies=AF_UNIX
TemporaryFileSystem=/run:ro
[Install]
WantedBy=multi-user.target

0 comments on commit 5deac3d

Please sign in to comment.