templates/systemd/mastodon: update sandbox mode (#16235)

* templates/systemd/mastodon: add new sandboxing options

* templates/systemd/mastodon: add '@privileged' and remove duplicates SystemCallFilters

* templates/systemd/mastodon: add '@ipc' SystemCallFilter

* templates/systemd/mastodon: add '@memlock' SystemCallFilter

* templates/systemd/mastodon: allow '@resources' filter to mastodon-web service
This commit is contained in:
Yurii Izorkin 2021-10-25 17:31:20 +03:00 committed by GitHub
parent 31fb810ffa
commit 8f48169eb2
3 changed files with 23 additions and 3 deletions

View file

@ -13,6 +13,9 @@ Environment="LD_PRELOAD=libjemalloc.so"
ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 25 ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 25
TimeoutSec=15 TimeoutSec=15
Restart=always Restart=always
# Proc filesystem
ProcSubset=pid
ProtectProc=invisible
# Capabilities # Capabilities
CapabilityBoundingSet= CapabilityBoundingSet=
# Security # Security
@ -35,11 +38,15 @@ RestrictNamespaces=true
LockPersonality=true LockPersonality=true
RestrictRealtime=true RestrictRealtime=true
RestrictSUIDSGID=true RestrictSUIDSGID=true
RemoveIPC=true
PrivateMounts=true PrivateMounts=true
ProtectClock=true ProtectClock=true
# System Call Filtering # System Call Filtering
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
SystemCallFilter=@chown
SystemCallFilter=pipe
SystemCallFilter=pipe2
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -12,6 +12,9 @@ Environment="STREAMING_CLUSTER_NUM=1"
ExecStart=/usr/bin/node ./streaming ExecStart=/usr/bin/node ./streaming
TimeoutSec=15 TimeoutSec=15
Restart=always Restart=always
# Proc filesystem
ProcSubset=pid
ProtectProc=invisible
# Capabilities # Capabilities
CapabilityBoundingSet= CapabilityBoundingSet=
# Security # Security
@ -34,11 +37,14 @@ RestrictNamespaces=true
LockPersonality=true LockPersonality=true
RestrictRealtime=true RestrictRealtime=true
RestrictSUIDSGID=true RestrictSUIDSGID=true
RemoveIPC=true
PrivateMounts=true PrivateMounts=true
ProtectClock=true ProtectClock=true
# System Call Filtering # System Call Filtering
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid
SystemCallFilter=pipe
SystemCallFilter=pipe2
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

View file

@ -13,6 +13,9 @@ ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
ExecReload=/bin/kill -SIGUSR1 $MAINPID ExecReload=/bin/kill -SIGUSR1 $MAINPID
TimeoutSec=15 TimeoutSec=15
Restart=always Restart=always
# Proc filesystem
ProcSubset=pid
ProtectProc=invisible
# Capabilities # Capabilities
CapabilityBoundingSet= CapabilityBoundingSet=
# Security # Security
@ -35,11 +38,15 @@ RestrictNamespaces=true
LockPersonality=true LockPersonality=true
RestrictRealtime=true RestrictRealtime=true
RestrictSUIDSGID=true RestrictSUIDSGID=true
RemoveIPC=true
PrivateMounts=true PrivateMounts=true
ProtectClock=true ProtectClock=true
# System Call Filtering # System Call Filtering
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @resources @setuid @swap SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
SystemCallFilter=@chown
SystemCallFilter=pipe
SystemCallFilter=pipe2
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target