upd: add more sandboxing directives to gigi-proxy.service

Most notably, the set of permitted syscalls excludes fork and many file
system commands like unlink or rmdir.

Change-Id: I87827f6ed0025570288611cf257c6e3a01769593

diff --git a/debian/cacert-gigi-testing.install b/debian/cacert-gigi-testing.install
index d61b049f7266d0130d7c39d977f274ac631d992c..c78a9de82e19e3473d722162e16ede1bf9115abb 100644 (file)
--- a/debian/cacert-gigi-testing.install
+++ b/debian/cacert-gigi-testing.install
@@ -1,4 +1,5 @@
 debian/gigi-proxy.service /lib/systemd/system
+debian/gigi-proxy.service.d/SystemCallFilter.conf /lib/systemd/system/gigi-proxy.service.d
 debian/gigi-proxy.socket /lib/systemd/system
 debian/gigi-standalone.service /lib/systemd/system
 debian/gigi-simple-signer.service /lib/systemd/system

diff --git a/debian/cacert-gigi.install b/debian/cacert-gigi.install
index d61b049f7266d0130d7c39d977f274ac631d992c..c78a9de82e19e3473d722162e16ede1bf9115abb 100644 (file)
--- a/debian/cacert-gigi.install
+++ b/debian/cacert-gigi.install
@@ -1,4 +1,5 @@
 debian/gigi-proxy.service /lib/systemd/system
+debian/gigi-proxy.service.d/SystemCallFilter.conf /lib/systemd/system/gigi-proxy.service.d
 debian/gigi-proxy.socket /lib/systemd/system
 debian/gigi-standalone.service /lib/systemd/system
 debian/gigi-simple-signer.service /lib/systemd/system

diff --git a/debian/gigi-proxy.service b/debian/gigi-proxy.service
index b4f41024bd34fe019f575a9cdb54a81f69789bae..52eddbd714b982f598e158bf14a6596d7ca4a4d8 100644 (file)
--- a/debian/gigi-proxy.service
+++ b/debian/gigi-proxy.service
@@ -17,6 +17,9 @@ PrivateDevices=yes
 ProtectSystem=full
 ProtectHome=yes
 NoNewPrivileges=yes
+SystemCallArchitectures=native
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictRealtime=yes
 
 [Install]
 WantedBy=multi-user.target

diff --git a/debian/gigi-proxy.service.d/SystemCallFilter.conf b/debian/gigi-proxy.service.d/SystemCallFilter.conf
new file mode 100644 (file)
index 0000000..e0a692c
--- /dev/null
+++ b/debian/gigi-proxy.service.d/SystemCallFilter.conf
@@ -0,0 +1,23 @@
+[Service]
+# the system call filter: reset the filter to empty, then each subsequent assignment adds to it
+SystemCallFilter=
+# read and write
+SystemCallFilter=@basic-io
+# @file-system (systemd commit 1a1b13c957, not in any release yet)
+SystemCallFilter=open close stat stat64 fstat fstat64 lstat lstat64 creat mkdir getdents getdents64 getcwd access fcntl fcntl64 mmap munmap readlink
+# event loop (is there data on a socket?)
+SystemCallFilter=@io-event
+# network connections
+SystemCallFilter=@network-io
+# JIT code generation
+SystemCallFilter=mprotect brk
+# signals
+SystemCallFilter=rt_sigaction rt_sigprocmask
+# threads
+SystemCallFilter=clone gettid futex set_robust_list set_tid_address sched_getaffinity sched_setaffinity sched_yield
+# allow nio to detect platform
+SystemCallFilter=uname
+# not sure what these are used for
+SystemCallFilter=arch_prctl sysinfo setrlimit madvise pipe
+# don't kill the process when an illegal syscall is issued, just return Operation not permitted
+SystemCallErrorNumber=EPERM