## Security Features in systemd, Lennart Poettering

### `PrivateTmp=yes|no`

- If its turned on then your service will get its private `/tmp` and `/var/tmp`
- No other service will be able to see it
- Lifecycle is bound to service runtime
- Traditionally there is no lifetime for `/tmp` but this will introduce one

### `JoinNamespaceOf=`

- Run two services in same namespace
- Since these services are in same namespace they will share `/tmp`
- So this helps in `IPC` between services that use `/tmp` for placing `AF_UNIX` sockets

### `CapabilityBoundingSet=`

- Makes use of Linux Capabilities
- Don't run process as root, rather run it in normal privilege and assign required capability
- List those capabilities names, and that's what service gets and nothing else
- Kinda addition in nothing

### `AmbientCapabilities=`

- Give all privileges of normal user in addition give capabilities defined in `AmbientCapabilities`

### `PrivateDevices=yes|no`

- Run a service but give it a private instance of `/dev`
- Contains all the psuedo devices like `/dev/null`, `/dev/zero`, `/dev/random`, etc

### `ProtectHome=yes|no|read-only`

- Protects `/home` from a service
- Most services should not have access to whole `/home`
- `yes:` service runs, it sees everything except `/home` and `/root`
- `read-only:` weaker of `yes`

### `ProtectSystem=yes|no|full`

- `yes:` run the service but make `/usr` read-only
- `full:` `/etc` read-only

### `MountFlags=slave`

- A service with this set will not be able to make any changes to mounting table

### `ReadWriteDirectories=`
### `ReadOnlyDirectories=`
### `InaccessiblrDirectories=`

- Powerful tool to do things explictly
- Like `ProtectSystem` and `ProtectHome` are high level directives, of the above concept

### `SELinuxContext=`
### `AppArmorProfile=`
### `SmackProcessLevel=`

- Explicitly select `SELinuxContext` for process

### `NoNewPrivileges=yes|no`

- Anything that is spawned in this process, may not acquire new privileges
- No more `UID/GID` changes, capability acquiring
- `setuid/setgid/fcaps` on files lose their power

### `SystemCallFilter=`

- Put filters on systemcall for specific services

### `SystemCallArchitectures=`

- With this process cannot do 32bit syscalls on 64bit kernel
- e.g. `SystemCallArchitecture=native` This will not allow running 32bit binaries on 64bit arch

### `PrivateNetwork=yes|no`

- Most service don't need access to network
- A service when its running will get access to `loopback` device and will not get access to any other network, infact the service will not even see any other network interface
- Great way to build sandbox since no access from remote

### `RestrictAddressFamilies=`

- With this service can create any socket as long as its a Unix socket
- e.g. `RestrictAddressFamilies=AF_UNIX`

### `User=`
### `Group=`
### `SupplementaryGroups=`

- Run any kinda service you like under UserID, GroupID or SupplemetaryGroupID mentioned here
- This makes sure this does not run as root but any other user

### `LimitNPROC=`

- Sets the number of processes a particular user can have

### `RootDirectory=`

- Similar to classic `chroot`

### `LimitFSIZE=0`

- Limit on file size for a service can create
- By setting `0` we have limited that process from creating any file

### `DeviceAllow=`

- want to allow specific kinda device
- e.g. `DeviceAllow=/dev/sda5 rwm` this service gets access to no devices except `/dev/sda5`, and it can read write or create a device node for it

### `TasksMax=`

- This service will have this many number of processes/threads at any time
- end of `fork()` bombs

Links:

- Video: https://www.youtube.com/watch?v=hiW8eIdcRgo
- Schedule: https://coreosfest2016.sched.org/event/6T0Y/keynote-security-features-in-systemd-lennart-poettering