Google Git
Sign in
kernel / pub / scm / network / wireless / iwd / 6e44295fe2d928ba6cfeb43c08028d5af245d1d5
commit6e44295fe2d928ba6cfeb43c08028d5af245d1d5[log] [tgz]
authorChristian Rebischke <chris@nullday.de>Tue Feb 26 00:30:09 2019 +0100
committerDenis Kenzior <denkenz@gmail.com>Tue Mar 19 14:00:46 2019 -0500
tree6aca069bc3a7cac1cbd764a3773eaef83b49d2f8
parentdee670312207560509b3a9f3e9e86e8d4c86b620 [diff]
iwd.service: Harden systemd service file

This commit hardens the iwd.service.in template file for systemd
services. The following is a short explanation for each added directive:

+PrivateTmp=true

If true, sets up a new file system namespace for the executed processes
and mounts private /tmp and /var/tmp directories inside it that is not
shared by processes outside of the namespace.

+NoNewPrivileges=true

If true, ensures that the service process and all its children can never
gain new privileges through execve() (e.g. via setuid or setgid bits, or
filesystem capabilities).

+PrivateDevices=true

If true, sets up a new /dev mount for the executed processes and only
adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as
well as the pseudo TTY subsystem) to it, but no physical devices such as
/dev/sda, system memory /dev/mem, system ports /dev/port and others.

+ProtectHome=yes

If true, the directories /home, /root and /run/user are made
inaccessible and empty for processes invoked by this unit.

+ProtectSystem=strict

If set to "strict" the entire file system hierarchy is mounted
read-only, except for the API file system subtrees /dev, /proc and /sys
(protect these directories using PrivateDevices=,
ProtectKernelTunables=, ProtectControlGroups=).

+ReadWritePaths=/var/lib/iwd/

Sets up a new file system namespace for executed processes. These
options may be used to limit access a process might have to the file
system hierarchy. Each setting takes a space-separated list of paths
relative to the host's root directory (i.e. the system running the
service manager). Note that if paths contain symlinks, they are resolved
relative to the root directory set with RootDirectory=/RootImage=.
Paths listed in ReadWritePaths= are accessible from within
the namespace with the same access modes as from outside of
it.

+ProtectControlGroups=yes

If true, the Linux Control Groups (cgroups(7)) hierarchies accessible
through /sys/fs/cgroup will be made read-only to all processes of the
unit.

+ProtectKernelModules=yes

If true, explicit module loading will be denied. This allows module
load and unload operations to be turned off on modular kernels.

For further explanation to all directives see `man systemd.directives`
1 file changed
tree: 6aca069bc3a7cac1cbd764a3773eaef83b49d2f8
  1. autotests/
  2. client/
  3. doc/
  4. linux/
  5. monitor/
  6. plugins/
  7. src/
  8. test/
  9. tools/
  10. unit/
  11. wired/
  12. .gitignore
  13. acinclude.m4
  14. AUTHORS
  15. bootstrap
  16. bootstrap-configure
  17. ChangeLog
  18. configure.ac
  19. COPYING
  20. HACKING
  21. INSTALL
  22. Makefile.am
  23. README
  24. TODO