From: Patrick Donnelly <pdonnell@redhat.com>
Date: Fri, 1 Feb 2019 19:48:00 +0000 (-0800)
Subject: systemd: lock down privileges more
X-Git-Tag: v14.1.0~174^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=517670926a27088d24b4bad4c577fd13c6f7ec6a;p=ceph.git

systemd: lock down privileges more

Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
---

diff --git a/systemd/ceph-fuse@.service.in b/systemd/ceph-fuse@.service.in
index 11eb7e760d72..d603042b1203 100644
--- a/systemd/ceph-fuse@.service.in
+++ b/systemd/ceph-fuse@.service.in
@@ -9,6 +9,14 @@ PartOf=ceph-fuse.target
 EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/ceph-fuse -f --cluster ${CLUSTER} %I
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+# ceph-fuse requires access to /dev fuse device
+PrivateDevices=no
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 TasksMax=infinity
 Restart=on-failure
 StartLimitInterval=30min
diff --git a/systemd/ceph-mds@.service.in b/systemd/ceph-mds@.service.in
index bd472f66b22f..39a2e63105b0 100644
--- a/systemd/ceph-mds@.service.in
+++ b/systemd/ceph-mds@.service.in
@@ -11,8 +11,14 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/ceph-mds -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
 PrivateDevices=yes
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 ProtectSystem=full
 PrivateTmp=true
 TasksMax=infinity
diff --git a/systemd/ceph-mgr@.service.in b/systemd/ceph-mgr@.service.in
index fab1b9e8e5de..f85047153494 100644
--- a/systemd/ceph-mgr@.service.in
+++ b/systemd/ceph-mgr@.service.in
@@ -9,9 +9,18 @@ LimitNOFILE=1048576
 LimitNPROC=1048576
 EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
-
 ExecStart=/usr/bin/ceph-mgr -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=yes
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=full
+PrivateTmp=true
 Restart=on-failure
 RestartSec=10
 StartLimitInterval=30min
diff --git a/systemd/ceph-mon@.service.in b/systemd/ceph-mon@.service.in
index c2566f37b954..c95fcabb26d6 100644
--- a/systemd/ceph-mon@.service.in
+++ b/systemd/ceph-mon@.service.in
@@ -17,8 +17,15 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+# Need NewPrivileges via `sudo smartctl`
+NoNewPrivileges=false
 PrivateDevices=yes
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 ProtectSystem=full
 PrivateTmp=true
 TasksMax=infinity
diff --git a/systemd/ceph-osd@.service.in b/systemd/ceph-osd@.service.in
index 41df6e843d87..1b5c9c82b866 100644
--- a/systemd/ceph-osd@.service.in
+++ b/systemd/ceph-osd@.service.in
@@ -12,7 +12,15 @@ Environment=CLUSTER=ceph
 ExecStart=/usr/bin/ceph-osd -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecStartPre=/usr/lib/ceph/ceph-osd-prestart.sh --cluster ${CLUSTER} --id %i
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+# Need NewPrivileges via `sudo smartctl`
+NoNewPrivileges=false
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+# flushing filestore requires access to /proc/sys/vm/drop_caches
+ProtectKernelTunables=false
 ProtectSystem=full
 PrivateTmp=true
 TasksMax=infinity
diff --git a/systemd/ceph-radosgw@.service.in b/systemd/ceph-radosgw@.service.in
index e2dac0bf3f0e..7e3ddf6c0473 100644
--- a/systemd/ceph-radosgw@.service.in
+++ b/systemd/ceph-radosgw@.service.in
@@ -10,8 +10,14 @@ LimitNPROC=1048576
 EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/radosgw -f --cluster ${CLUSTER} --name client.%i --setuser ceph --setgroup ceph
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
 PrivateDevices=yes
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 ProtectSystem=full
 PrivateTmp=true
 TasksMax=infinity
diff --git a/systemd/ceph-rbd-mirror@.service.in b/systemd/ceph-rbd-mirror@.service.in
index f8b15dcd401a..1b0d38b9a0fb 100644
--- a/systemd/ceph-rbd-mirror@.service.in
+++ b/systemd/ceph-rbd-mirror@.service.in
@@ -11,8 +11,14 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@
 Environment=CLUSTER=ceph
 ExecStart=/usr/bin/rbd-mirror -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
 ExecReload=/bin/kill -HUP $MAINPID
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
 PrivateDevices=yes
+ProtectControlGroups=true
 ProtectHome=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
 ProtectSystem=full
 PrivateTmp=true
 Restart=on-failure