From 944ba56043e75c3b5fcb4634ea65ae84b8695b10 Mon Sep 17 00:00:00 2001 From: link2xt Date: Thu, 28 Mar 2024 22:36:24 +0000 Subject: [PATCH] Apply systemd restrictions to echobot These options are suggested by `systemd-analyze security echobot.service` --- CHANGELOG.md | 3 ++ .../src/cmdeploy/service/echobot.service.f | 39 +++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4ad0cee9..e4448bd5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,9 @@ ## untagged +- Apply systemd restrictions to echobot + ([#259](https://github.com/deltachat/chatmail/pull/259)) + - re-enable running the CI in pull requests, but not concurrently ([#258](https://github.com/deltachat/chatmail/pull/258)) diff --git a/cmdeploy/src/cmdeploy/service/echobot.service.f b/cmdeploy/src/cmdeploy/service/echobot.service.f index 52d9eef2..149fcbb1 100644 --- a/cmdeploy/src/cmdeploy/service/echobot.service.f +++ b/cmdeploy/src/cmdeploy/service/echobot.service.f @@ -7,5 +7,44 @@ Environment="PATH={remote_venv_dir}:$PATH" Restart=always RestartSec=30 +# Apply security restrictions suggested by +# systemd-analyze security echobot.service +CapabilityBoundingSet= +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateMounts=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=noaccess + +# Should be "strict", but we currently write /accounts folder in a protected path +ProtectSystem=full + +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +SystemCallArchitectures=native +SystemCallFilter=~@clock +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@resources +SystemCallFilter=~@swap +UMask=0077 + [Install] WantedBy=multi-user.target