Merge pull request openSUSE#646 from aschnell/master

added systemd sandboxing for services
leonardohn · Apr 28, 2021 · 75c0971 · 75c0971
2 parents a39f690 + 062b6ad
commit 75c0971
Show file tree

Hide file tree

Showing 7 changed files with 69 additions and 1 deletion.
diff --git a/data/boot.service b/data/boot.service
@@ -5,3 +5,14 @@ ConditionPathExists=/etc/snapper/configs/root
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/snapper --config root create --cleanup-algorithm number --description "boot"
+
+CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+LockPersonality=true
+NoNewPrivileges=false
+PrivateNetwork=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true
diff --git a/data/cleanup.service b/data/cleanup.service
@@ -8,3 +8,14 @@ Type=simple
 ExecStart=/usr/lib/snapper/systemd-helper --cleanup
 IOSchedulingClass=idle
 CPUSchedulingPolicy=idle
+
+CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+LockPersonality=true
+NoNewPrivileges=false
+PrivateNetwork=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true
diff --git a/data/snapperd.service b/data/snapperd.service
@@ -6,3 +6,14 @@ Documentation=man:snapperd(8)
 Type=dbus
 BusName=org.opensuse.Snapper
 ExecStart=/usr/sbin/snapperd
+
+CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+LockPersonality=true
+NoNewPrivileges=false
+PrivateNetwork=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true
diff --git a/data/systemd-sandboxing.txt b/data/systemd-sandboxing.txt
@@ -0,0 +1,21 @@
+
+Notes about systemd sandboxing
+------------------------------
+
+CapabilityBoundingSet=CAP_SYS_ADMIN is needed to get the btrfs default
+subvolume id.
+
+ProtectClock=true breaks LVM - strange.
+
+CAP_SYS_MODULE is needed for LVM (creating snapshots, loads
+dm_snapshot).
+
+ProtectKernelModules=true breaks LVM.
+
+CapabilityBoundingSet=CAP_SYS_NICE is also needed by LVM.
+
+ProtectHome=true breaks diff for LVM.
+
+SystemCallFilter=@mount breaks almost everything with older systemd,
+e.g. on SLE15 SP1.
+
diff --git a/data/timeline.service b/data/timeline.service
@@ -7,3 +7,13 @@ Documentation=man:snapper(8) man:snapper-configs(5)
 Type=simple
 ExecStart=/usr/lib/snapper/systemd-helper --timeline
 
+CapabilityBoundingSet=CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_SYS_ADMIN CAP_SYS_MODULE CAP_IPC_LOCK CAP_SYS_NICE
+LockPersonality=true
+NoNewPrivileges=false
+PrivateNetwork=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+RestrictAddressFamilies=AF_UNIX
+RestrictRealtime=true
diff --git a/package/snapper.changes b/package/snapper.changes
@@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Wed Apr 28 10:17:14 CEST 2021 - [email protected]
+
+- added systemd sandboxing for services
+
 -------------------------------------------------------------------
 Mon Apr 19 09:56:40 CEST 2021 - [email protected]
 

diff --git a/snapper/Lvm.cc b/snapper/Lvm.cc
@@ -360,7 +360,6 @@ namespace snapper
 
 	    if (!umount(info_dir, "snapshot"))
 		throw UmountSnapshotFailedException();
-
 	}
 
 	try
-Original file line number
+Diff line change
@@ Expand Up / @@ -360,7 +360,6 @@ namespace snapper @@
     	    if (!umount(info_dir, "snapshot"))
     		throw UmountSnapshotFailedException();
     	}
     	try
@@ Expand Down @@