From 517670926a27088d24b4bad4c577fd13c6f7ec6a Mon Sep 17 00:00:00 2001 From: Patrick Donnelly Date: Fri, 1 Feb 2019 11:48:00 -0800 Subject: [PATCH] systemd: lock down privileges more Signed-off-by: Patrick Donnelly --- systemd/ceph-fuse@.service.in | 8 ++++++++ systemd/ceph-mds@.service.in | 6 ++++++ systemd/ceph-mgr@.service.in | 11 ++++++++++- systemd/ceph-mon@.service.in | 7 +++++++ systemd/ceph-osd@.service.in | 8 ++++++++ systemd/ceph-radosgw@.service.in | 6 ++++++ systemd/ceph-rbd-mirror@.service.in | 6 ++++++ 7 files changed, 51 insertions(+), 1 deletion(-) diff --git a/systemd/ceph-fuse@.service.in b/systemd/ceph-fuse@.service.in index 11eb7e760d7..d603042b120 100644 --- a/systemd/ceph-fuse@.service.in +++ b/systemd/ceph-fuse@.service.in @@ -9,6 +9,14 @@ PartOf=ceph-fuse.target EnvironmentFile=-@SYSTEMD_ENV_FILE@ Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-fuse -f --cluster ${CLUSTER} %I +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +# ceph-fuse requires access to /dev fuse device +PrivateDevices=no +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true TasksMax=infinity Restart=on-failure StartLimitInterval=30min diff --git a/systemd/ceph-mds@.service.in b/systemd/ceph-mds@.service.in index bd472f66b22..39a2e63105b 100644 --- a/systemd/ceph-mds@.service.in +++ b/systemd/ceph-mds@.service.in @@ -11,8 +11,14 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@ Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-mds -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true PrivateDevices=yes +ProtectControlGroups=true ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true ProtectSystem=full PrivateTmp=true TasksMax=infinity diff --git a/systemd/ceph-mgr@.service.in b/systemd/ceph-mgr@.service.in index fab1b9e8e5d..f8504715349 100644 --- a/systemd/ceph-mgr@.service.in +++ b/systemd/ceph-mgr@.service.in @@ -9,9 +9,18 @@ LimitNOFILE=1048576 LimitNPROC=1048576 EnvironmentFile=-@SYSTEMD_ENV_FILE@ Environment=CLUSTER=ceph - ExecStart=/usr/bin/ceph-mgr -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=yes +ProtectControlGroups=true +ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full +PrivateTmp=true Restart=on-failure RestartSec=10 StartLimitInterval=30min diff --git a/systemd/ceph-mon@.service.in b/systemd/ceph-mon@.service.in index c2566f37b95..c95fcabb26d 100644 --- a/systemd/ceph-mon@.service.in +++ b/systemd/ceph-mon@.service.in @@ -17,8 +17,15 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@ Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +LockPersonality=true +MemoryDenyWriteExecute=true +# Need NewPrivileges via `sudo smartctl` +NoNewPrivileges=false PrivateDevices=yes +ProtectControlGroups=true ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true ProtectSystem=full PrivateTmp=true TasksMax=infinity diff --git a/systemd/ceph-osd@.service.in b/systemd/ceph-osd@.service.in index 41df6e843d8..1b5c9c82b86 100644 --- a/systemd/ceph-osd@.service.in +++ b/systemd/ceph-osd@.service.in @@ -12,7 +12,15 @@ Environment=CLUSTER=ceph ExecStart=/usr/bin/ceph-osd -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecStartPre=/usr/lib/ceph/ceph-osd-prestart.sh --cluster ${CLUSTER} --id %i ExecReload=/bin/kill -HUP $MAINPID +LockPersonality=true +MemoryDenyWriteExecute=true +# Need NewPrivileges via `sudo smartctl` +NoNewPrivileges=false +ProtectControlGroups=true ProtectHome=true +ProtectKernelModules=true +# flushing filestore requires access to /proc/sys/vm/drop_caches +ProtectKernelTunables=false ProtectSystem=full PrivateTmp=true TasksMax=infinity diff --git a/systemd/ceph-radosgw@.service.in b/systemd/ceph-radosgw@.service.in index e2dac0bf3f0..7e3ddf6c047 100644 --- a/systemd/ceph-radosgw@.service.in +++ b/systemd/ceph-radosgw@.service.in @@ -10,8 +10,14 @@ LimitNPROC=1048576 EnvironmentFile=-@SYSTEMD_ENV_FILE@ Environment=CLUSTER=ceph ExecStart=/usr/bin/radosgw -f --cluster ${CLUSTER} --name client.%i --setuser ceph --setgroup ceph +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true PrivateDevices=yes +ProtectControlGroups=true ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true ProtectSystem=full PrivateTmp=true TasksMax=infinity diff --git a/systemd/ceph-rbd-mirror@.service.in b/systemd/ceph-rbd-mirror@.service.in index f8b15dcd401..1b0d38b9a0f 100644 --- a/systemd/ceph-rbd-mirror@.service.in +++ b/systemd/ceph-rbd-mirror@.service.in @@ -11,8 +11,14 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@ Environment=CLUSTER=ceph ExecStart=/usr/bin/rbd-mirror -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph ExecReload=/bin/kill -HUP $MAINPID +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true PrivateDevices=yes +ProtectControlGroups=true ProtectHome=true +ProtectKernelModules=true +ProtectKernelTunables=true ProtectSystem=full PrivateTmp=true Restart=on-failure -- 2.39.5