[PATCH 1/2] paccache.service.in: Harden unit
Adds a number of sandboxing and other hardening options to the paccache.service file. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/Makefile.am | 2 ++ src/paccache.service.in | 28 ++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/src/Makefile.am b/src/Makefile.am index eef0590..e5af195 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -8,6 +8,7 @@ DIST_SUBDIRS = $(SUBDIRS) conffile = ${sysconfdir}/pacman.conf dbpath = ${localstatedir}/lib/pacman/ gpgdir = ${sysconfdir}/pacman.d/gnupg/ +cachedir = ${localstatedir}/cache/pacman bin_SCRIPTS = \ $(OURSCRIPTS) @@ -95,6 +96,7 @@ AM_CFLAGS = \ edit = sed \ -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@cachedir[@]|$(cachedir)|g' \ -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ -e 's|@localstatedir[@]|$(localstatedir)|g' \ -e 's|@PACKAGE_VERSION[@]|$(REAL_PACKAGE_VERSION)|g' \ diff --git a/src/paccache.service.in b/src/paccache.service.in index cd28e67..0f71f5f 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,3 +4,31 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Sandboxing and other hardening +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +ReadWritePaths=@cachedir@/pkg +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=@file-system +SystemCallArchitectures=native -- 2.32.0
On 09/07/2021 09:21, Frederik “Freso” S. Olesen via pacman-contrib wrote:
Adds a number of sandboxing and other hardening options to the paccache.service file.
Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/Makefile.am | 2 ++ src/paccache.service.in | 28 ++++++++++++++++++++++++++++ 2 files changed, 30 insertions(+)
diff --git a/src/Makefile.am b/src/Makefile.am index eef0590..e5af195 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -8,6 +8,7 @@ DIST_SUBDIRS = $(SUBDIRS) conffile = ${sysconfdir}/pacman.conf dbpath = ${localstatedir}/lib/pacman/ gpgdir = ${sysconfdir}/pacman.d/gnupg/ +cachedir = ${localstatedir}/cache/pacman
bin_SCRIPTS = \ $(OURSCRIPTS) @@ -95,6 +96,7 @@ AM_CFLAGS = \
edit = sed \ -e 's|@bindir[@]|$(bindir)|g' \ + -e 's|@cachedir[@]|$(cachedir)|g' \ -e 's|@sysconfdir[@]|$(sysconfdir)|g' \ -e 's|@localstatedir[@]|$(localstatedir)|g' \ -e 's|@PACKAGE_VERSION[@]|$(REAL_PACKAGE_VERSION)|g' \ diff --git a/src/paccache.service.in b/src/paccache.service.in index cd28e67..0f71f5f 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,3 +4,31 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Sandboxing and other hardening +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +ReadWritePaths=@cachedir@/pkg
I and many others have multiple custom cachedirs.
+PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=@file-system +SystemCallArchitectures=native
The unit will be run in the background and is not essential for systems to operate, so giving it the lowest priority will help make it less disruptive on its system. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/paccache.service.in b/src/paccache.service.in index 0f71f5f..79b1c91 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,6 +4,13 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Lowering priority +OOMScoreAdjust=1000 +Nice=19 +CPUSchedulingPolicy=idle +CPUSchedulingPriority=1 +IOSchedulingClass=idle +IOSchedulingPriority=7 # Sandboxing and other hardening ProtectProc=invisible ProcSubset=pid -- 2.32.0
Hello. These are basically just copy/pasted (with minor tweaks for Makefile) from my own override file running on two systems. Since I put in the work writing and testing these options/settings, I figured I’d share them and possibly have them upstreamed if deemed acceptable. [PATCH 1] tightens the unit down a good deal, which may be too much for some people’s systems. E.g., the ReadWritePaths path is the pacman.conf default, which is a fairly easy one to edit. If people run setups they use paccache.service with multiple pacman caches, they probably need to edit the .service file anyway, at with point they can also edit the ReadWritePaths to match their setup. [PATCH 2] basically just deprioritises that paccache process as much as possible. I split that out since it’s not hardening and it might not be something that would be wanted across all systems. Not sure what systems would have this be an important service that should not be as undisruptive as possible, but 🤷. -- Solidarity, Frederik “Freso” S. Olesen <https://freso.dk/>
On 09/07/2021 11:19, Frederik “Freso” S. Olesen via pacman-contrib wrote:
they probably need to edit the .service file anyway
Why? doesn't the service just call `paccache -r` which in turns reads pacman.conf?
On Fri, Jul 09, 2021 at 11:32:18AM +0100, Morgan Adamiec via pacman-contrib wrote:
On 09/07/2021 11:19, Frederik “Freso” S. Olesen via pacman-contrib wrote:
they probably need to edit the .service file anyway
Why? doesn't the service just call `paccache -r` which in turns reads pacman.conf?
Yeah, you’re right. I forgot that CacheDir can take multiple directories. v2 of patch 1 changes `ProtectSystem=strict` to `ProtectSystem=full` which removes the need to specify ReadWritePaths. It can be demoted further to `ProtectSystem=yes` if people use /etc/… as one of the cache directories, or removed entirely if /usr/… or /boot/… or /efi/… are used cache paths. I guess /usr/local/… might be? /usr/local/ could be added in as a ReadWritePaths if we want to support that while still locking down /usr/ otherwise. (Patch 2/2 still applies frictionlessly on top of patch 1 v2, so I didn’t resend that.) -- Solidarity, Frederik “Freso” S. Olesen <https://freso.dk/>
Pushed, thank you! On 7/9/21 6:10 AM, Frederik “Freso” S. Olesen via pacman-contrib wrote:
The unit will be run in the background and is not essential for systems to operate, so giving it the lowest priority will help make it less disruptive on its system.
Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 7 +++++++ 1 file changed, 7 insertions(+)
diff --git a/src/paccache.service.in b/src/paccache.service.in index 0f71f5f..79b1c91 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,6 +4,13 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Lowering priority +OOMScoreAdjust=1000 +Nice=19 +CPUSchedulingPolicy=idle +CPUSchedulingPriority=1 +IOSchedulingClass=idle +IOSchedulingPriority=7 # Sandboxing and other hardening ProtectProc=invisible ProcSubset=pid
-- Best, Daniel <https://danielcapella.com>
Adds a number of sandboxing and other hardening options to the paccache.service file. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/src/paccache.service.in b/src/paccache.service.in index cd28e67..927574f 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,3 +4,30 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Sandboxing and other hardening +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=@file-system +SystemCallArchitectures=native -- 2.32.0
Pushed, thank you! On 7/9/21 7:01 AM, Frederik “Freso” S. Olesen via pacman-contrib wrote:
Adds a number of sandboxing and other hardening options to the paccache.service file.
Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+)
diff --git a/src/paccache.service.in b/src/paccache.service.in index cd28e67..927574f 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,3 +4,30 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Sandboxing and other hardening +ProtectProc=invisible +ProcSubset=pid +NoNewPrivileges=yes +ProtectSystem=full +ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateIPC=yes +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +RemoveIPC=yes +PrivateMounts=yes +SystemCallFilter=@file-system +SystemCallArchitectures=native
-- Best, Daniel <https://danielcapella.com>
participants (3)
-
Daniel M. Capella
-
Frederik “Freso” S. Olesen
-
Morgan Adamiec