Last active
March 25, 2018 20:38
-
-
Save lucaswerkmeister/e8ea45101268e1b90974935400cb87bb to your computer and use it in GitHub Desktop.
systemd sandboxes for three services I found running as unsandboxed root on my desktop system.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/systemd/system/geoclue.service.d/sandbox.conf | |
| # I have no idea what this service needs, but hopefully we can at least sandbox it a little bit… | |
| [Service] | |
| RuntimeDirectory=%p | |
| ProtectSystem=strict | |
| ProtectHome=yes | |
| InaccessiblePaths=-/etc/shadow -/etc/gshadow -/var/lib/sudo -/etc/ssh -/etc/opendkim -/var/lib/tor | |
| PrivateTmp=yes | |
| ProtectKernelTunables=yes | |
| ProtectControlGroups=yes | |
| RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX | |
| MemoryDenyWriteExecute=yes | |
| NoNewPrivileges=yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/systemd/system/udisks2.service.d/sandbox.conf | |
| # I have no idea what this service needs, but hopefully we can at least sandbox it a little bit… | |
| # WARNING: This service mounts and unmounts devices, therefore it must remain in the top-level mount namespace. | |
| # This means that any file system namespace related options | |
| # (PrivateTmp=, PrivateDevices=, ProtectSystem=, ProtectHome=, ProtectKernelTunables=, ProtectControlGroups=, ReadOnlyPaths=, InaccessiblePaths=, ReadWritePaths=; see description of MountFlags= in systemd.exec(5)) | |
| # CANNOT BE USED. | |
| [Service] | |
| CapabilityBoundingSet=CAP_SYS_ADMIN CAP_CHOWN CAP_SYS_RAWIO | |
| PrivateNetwork=yes | |
| RestrictAddressFamilies=AF_UNIX | |
| MemoryDenyWriteExecute=yes | |
| NoNewPrivileges=yes |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # /etc/systemd/system/upower.service.d/sandbox.conf | |
| # I have no idea what this service needs, but hopefully we can at least sandbox it a little bit… | |
| [Service] | |
| RuntimeDirectory=%p | |
| ProtectSystem=strict | |
| ProtectHome=yes | |
| InaccessiblePaths=-/etc/shadow -/etc/gshadow -/var/lib/sudo -/etc/ssh -/etc/opendkim -/var/lib/tor | |
| PrivateTmp=yes | |
| PrivateNetwork=yes | |
| ProtectKernelTunables=yes | |
| ProtectControlGroups=yes | |
| RestrictAddressFamilies=AF_UNIX AF_NETLINK | |
| MemoryDenyWriteExecute=yes | |
| NoNewPrivileges=yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment