Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security: restrict abis in bitcoind.service #28340

Merged
merged 1 commit into from Apr 17, 2024
Merged

security: restrict abis in bitcoind.service #28340

merged 1 commit into from Apr 17, 2024
+3 −0

Conversation

CharlieC3
Copy link
Contributor

@CharlieC3 CharlieC3 commented Aug 24, 2023
edited

As noted here, it's a good idea to pair MemoryDenyWriteExecute=true with SystemCallArchitectures=native because MemoryDenyWriteExecute can be circumvented in some operating systems which support multiple ABIs like x86/x86-64.
This helps restrict the possible application binary interfaces (ABIs) that can be used when running bitcoind through systemd, reducing the attack surface area.

@CharlieC3
security: restrict abis in bitcoind.service
0244416 
It's recommended to restrict the possible application binary interfaces that can be used when setting `MemoryDenyWriteExecute=true` to ensure it cannot be circumvented.
@DrahtBot
Copy link
Contributor

DrahtBot commented Aug 24, 2023
edited

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK laanwj, 0xB10C
Concept ACK Sjors

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

@Sjors
Copy link
Member

Sjors commented Aug 25, 2023

Probably Concept ACK, because nix-bitcoin does this too: https://github.com/fort-nix/nix-bitcoin/blob/master/pkgs/lib.nix

Might as well consider all the extra stuff they added there.

@achow101 achow101 requested review from laanwj and 0xB10C April 9, 2024 14:36
@laanwj
Copy link
Member

laanwj commented Apr 9, 2024

ACK 0244416 . This is a sensible security feature.
It looks like the documentation of systemd.exec even mentions this pairing.

I do agree with @Sjors, however, that when we're adding systemd hardening options, we might as well look further.

@DrahtBot DrahtBot requested a review from Sjors April 9, 2024 14:45
@0xB10C
Copy link
Contributor

0xB10C commented Apr 10, 2024

ACK 0244416

@ryanofsky ryanofsky merged commit dbd2000 into bitcoin:master Apr 17, 2024
14 of 15 checks passed
@blckbx blckbx mentioned this pull request Apr 18, 2024
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@laanwj laanwj Awaiting requested review from laanwj

@0xB10C 0xB10C Awaiting requested review from 0xB10C

@Sjors Sjors Awaiting requested review from Sjors

Assignees
No one assigned
Labels
CI failed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@CharlieC3 @DrahtBot @Sjors @laanwj @0xB10C @ryanofsky