From ec2ce8cd279537f397ab2ea283aafadf89a448c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Erik=20Sj=C3=B6lund?= Date: Thu, 13 Jul 2023 18:28:33 +0200 Subject: [PATCH] Improve security of rest-server.service by restricting network access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This patch improves the overall security assessment score given by `systemd-analyze security rest-server.service` from "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253) * Remove `AF_INET AF_INET6` from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See systemd.exec man page. * Add `PrivateNetwork=yes` as recommended for socket-activated services in the systemd.socket man page * Add dependency on rest-server.socket Signed-off-by: Erik Sjölund --- examples/systemd/rest-server.service | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/examples/systemd/rest-server.service b/examples/systemd/rest-server.service index daa2f2c..1b6b34a 100644 --- a/examples/systemd/rest-server.service +++ b/examples/systemd/rest-server.service @@ -2,9 +2,8 @@ Description=Rest Server After=syslog.target After=network.target - -# if you want to use socket activation, make sure to require the socket here -#Requires=rest-server.socket +Requires=rest-server.socket +After=rest-server.socket [Service] Type=simple @@ -37,6 +36,11 @@ CapabilityBoundingSet= LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=yes + +# As the listen socket is created by systemd via the rest-server.socket unit, it is +# no longer necessary for rest-server to have access to the host network namespace. +PrivateNetwork=yes + PrivateTmp=yes PrivateDevices=true PrivateUsers=true @@ -51,7 +55,7 @@ ProtectProc=invisible ProtectHostname=true RemoveIPC=true RestrictNamespaces=true -RestrictAddressFamilies=AF_INET AF_INET6 +RestrictAddressFamilies=none RestrictSUIDSGID=true RestrictRealtime=true # if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host