systemd: lock down privileges more

Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>

diff --git a/systemd/ceph-fuse@.service.in b/systemd/ceph-fuse@.service.in
index 11eb7e760d72c14c747bdf7a9d5fd224edc55074..d603042b1203ac959abe8c639361e17ef4580875 100644 (file)
--- a/systemd/ceph-fuse@.service.in
+++ b/systemd/ceph-fuse@.service.in
@@ -9,6 +9,14 @@ PartOf=ceph-fuse.target
 EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/ceph-fuse -f --cluster ${CLUSTER} %I
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+# ceph-fuse requires access to /dev fuse device
+PrivateDevices=no
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 TasksMax=infinity
 Restart=on-failure
 StartLimitInterval=30min

diff --git a/systemd/ceph-mds@.service.in b/systemd/ceph-mds@.service.in
index bd472f66b22fe19c192a1d8ab930628c112365a7..39a2e63105b0625725b542a3457b656fd47340c4 100644 (file)
--- a/systemd/ceph-mds@.service.in
+++ b/systemd/ceph-mds@.service.in
@@ -11,8 +11,14 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/ceph-mds -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
 PrivateDevices=yes
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 ProtectSystem=full
 PrivateTmp=true
 TasksMax=infinity

diff --git a/systemd/ceph-mgr@.service.in b/systemd/ceph-mgr@.service.in
index fab1b9e8e5de205e244f15a1f5e411972217a9f8..f85047153494987f6d1c637b5f855694344025f7 100644 (file)
--- a/systemd/ceph-mgr@.service.in
+++ b/systemd/ceph-mgr@.service.in
@@ -9,9 +9,18 @@ LimitNOFILE=1048576
 LimitNPROC=1048576
 EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
-
 ExecStart=/usr/bin/ceph-mgr -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=yes
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+PrivateTmp=true
 Restart=on-failure
 RestartSec=10
 StartLimitInterval=30min

diff --git a/systemd/ceph-mon@.service.in b/systemd/ceph-mon@.service.in
index c2566f37b954ef9db2a5a5aa9a4aa078405a887f..c95fcabb26d6c6f87580cfa651543adae6cef208 100644 (file)
--- a/systemd/ceph-mon@.service.in
+++ b/systemd/ceph-mon@.service.in
@@ -17,8 +17,15 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+# Need NewPrivileges via `sudo smartctl`
+NoNewPrivileges=false
 PrivateDevices=yes
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 ProtectSystem=full
 PrivateTmp=true
 TasksMax=infinity

diff --git a/systemd/ceph-osd@.service.in b/systemd/ceph-osd@.service.in
index 41df6e843d87c8bd71cf70defddbd74670040885..1b5c9c82b8668317f5969bc5929656a2d2a1cf88 100644 (file)
--- a/systemd/ceph-osd@.service.in
+++ b/systemd/ceph-osd@.service.in
@@ -12,7 +12,15 @@ Environment=CLUSTER=ceph
 ExecStart=/usr/bin/ceph-osd -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecStartPre=/usr/lib/ceph/ceph-osd-prestart.sh --cluster ${CLUSTER} --id %i
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+# Need NewPrivileges via `sudo smartctl`
+NoNewPrivileges=false
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+# flushing filestore requires access to /proc/sys/vm/drop_caches
+ProtectKernelTunables=false
 ProtectSystem=full
 PrivateTmp=true
 TasksMax=infinity

diff --git a/systemd/ceph-radosgw@.service.in b/systemd/ceph-radosgw@.service.in
index e2dac0bf3f0e31549ce92d3db808c4895719afa0..7e3ddf6c04731ab1a20c410711c526ff2bbcc8a7 100644 (file)
--- a/systemd/ceph-radosgw@.service.in
+++ b/systemd/ceph-radosgw@.service.in
@@ -10,8 +10,14 @@ LimitNPROC=1048576
 EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/radosgw -f --cluster ${CLUSTER} --name client.%i --setuser ceph --setgroup ceph
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
 PrivateDevices=yes
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 ProtectSystem=full
 PrivateTmp=true
 TasksMax=infinity

diff --git a/systemd/ceph-rbd-mirror@.service.in b/systemd/ceph-rbd-mirror@.service.in
index f8b15dcd401a07c9fdedccb8de41cd9532e73923..1b0d38b9a0fb0c64f8b6415f0aa85a63f97484b7 100644 (file)
--- a/systemd/ceph-rbd-mirror@.service.in
+++ b/systemd/ceph-rbd-mirror@.service.in
@@ -11,8 +11,14 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/rbd-mirror -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
 PrivateDevices=yes
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 ProtectSystem=full
 PrivateTmp=true
 Restart=on-failure