mirror of
http://git.sesse.net/plocate
synced 2025-10-06 03:02:39 +02:00
Sandbox plocate-update.service some more
A variety of sandboxing options, as long as they do not introduce bind
mounts. (Bind mounts cause problems, as noted in commit 1acc100b09, so
leave out ProtectSystem= and a few other options.) The system call
filter is relatively broad, so it will hopefully not break things.
(@chown and CAP_CHOWN are needed because the updater fchown’s the
database file.)
CAP_DAC_READ_SEARCH and CAP_CHOWN together are unfortunately mostly
equivalent to CAP_DAC_OVERRIDE, in that the updater can access any file,
chown it to itself, and then write to it. Users who do not need
--prune-bind-mounts support may wish to enable ProtectSystem=strict
(together with ReadWritePaths= or an equivalent option to make the
database file writable again). But at least this still filters out a lot
of other capabilities.
This commit is contained in:
Lucas Werkmeister
committed by
Steinar H. Gunderson
Steinar H. Gunderson
parent
333235850b
commit
d7a9d84a65
@@ -9,6 +9,20 @@ LimitNOFILE=131072
|
||||
IOSchedulingClass=idle
|
||||
Nice=19
|
||||
|
||||
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_CHOWN
|
||||
IPAddressDeny=any
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
PrivateDevices=true
|
||||
PrivateNetwork=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHostname=true
|
||||
RestrictAddressFamilies=AF_UNIX
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service @chown
|
||||
|
||||
Reference in New Issue
Block a user