Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplify hardening of systemd services #20247

Closed
gytis-ivaskevicius opened this issue Jul 19, 2021 · 1 comment
Closed

Simplify hardening of systemd services #20247

gytis-ivaskevicius opened this issue Jul 19, 2021 · 1 comment
Labels
duplicate

Comments

@gytis-ivaskevicius
Copy link

Is your feature request related to a problem? Please describe.
Hardening services is complicated due to amount of options there are. Here is an example: https://github.com/NixOS/nixpkgs/blob/nixos-21.05/nixos/modules/services/continuous-integration/github-runner.nix#L259-L296

Describe the solution you'd like
I'd like to have an option or type of unit which would drop privileges as much as possible. No filesystem, no network, no devices, no nothing.
In other words - I'd like to see a whitelist policy instead of a blacklist (much like OCI containers)

Describe alternatives you've considered
Creating some sort of builder with certain defaults.

The systemd version you checked that didn't have the feature you are asking for

v249
@bluca
Copy link
Member

bluca commented Jul 19, 2021

There's an existing ticket for this: #16511

@bluca bluca closed this as completed Jul 19, 2021
@dcousens dcousens mentioned this issue May 24, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
duplicate
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bluca @gytis-ivaskevicius