From: Lucas Werkmeister Date: Wed, 18 Jan 2017 13:06:39 +0000 (+0100) Subject: upd: add more sandboxing directives to gigi-proxy.service X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=a9405c7e4b3aaa670f4b53da18c0b15448c87c2c upd: add more sandboxing directives to gigi-proxy.service Most notably, the set of permitted syscalls excludes fork and many file system commands like unlink or rmdir. Change-Id: I87827f6ed0025570288611cf257c6e3a01769593 --- diff --git a/debian/cacert-gigi-testing.install b/debian/cacert-gigi-testing.install index d61b049f..c78a9de8 100644 --- a/debian/cacert-gigi-testing.install +++ b/debian/cacert-gigi-testing.install @@ -1,4 +1,5 @@ debian/gigi-proxy.service /lib/systemd/system +debian/gigi-proxy.service.d/SystemCallFilter.conf /lib/systemd/system/gigi-proxy.service.d debian/gigi-proxy.socket /lib/systemd/system debian/gigi-standalone.service /lib/systemd/system debian/gigi-simple-signer.service /lib/systemd/system diff --git a/debian/cacert-gigi.install b/debian/cacert-gigi.install index d61b049f..c78a9de8 100644 --- a/debian/cacert-gigi.install +++ b/debian/cacert-gigi.install @@ -1,4 +1,5 @@ debian/gigi-proxy.service /lib/systemd/system +debian/gigi-proxy.service.d/SystemCallFilter.conf /lib/systemd/system/gigi-proxy.service.d debian/gigi-proxy.socket /lib/systemd/system debian/gigi-standalone.service /lib/systemd/system debian/gigi-simple-signer.service /lib/systemd/system diff --git a/debian/gigi-proxy.service b/debian/gigi-proxy.service index b4f41024..52eddbd7 100644 --- a/debian/gigi-proxy.service +++ b/debian/gigi-proxy.service @@ -17,6 +17,9 @@ PrivateDevices=yes ProtectSystem=full ProtectHome=yes NoNewPrivileges=yes +SystemCallArchitectures=native +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictRealtime=yes [Install] WantedBy=multi-user.target diff --git a/debian/gigi-proxy.service.d/SystemCallFilter.conf b/debian/gigi-proxy.service.d/SystemCallFilter.conf new file mode 100644 index 00000000..e0a692c4 --- /dev/null +++ b/debian/gigi-proxy.service.d/SystemCallFilter.conf @@ -0,0 +1,23 @@ +[Service] +# the system call filter: reset the filter to empty, then each subsequent assignment adds to it +SystemCallFilter= +# read and write +SystemCallFilter=@basic-io +# @file-system (systemd commit 1a1b13c957, not in any release yet) +SystemCallFilter=open close stat stat64 fstat fstat64 lstat lstat64 creat mkdir getdents getdents64 getcwd access fcntl fcntl64 mmap munmap readlink +# event loop (is there data on a socket?) +SystemCallFilter=@io-event +# network connections +SystemCallFilter=@network-io +# JIT code generation +SystemCallFilter=mprotect brk +# signals +SystemCallFilter=rt_sigaction rt_sigprocmask +# threads +SystemCallFilter=clone gettid futex set_robust_list set_tid_address sched_getaffinity sched_setaffinity sched_yield +# allow nio to detect platform +SystemCallFilter=uname +# not sure what these are used for +SystemCallFilter=arch_prctl sysinfo setrlimit madvise pipe +# don't kill the process when an illegal syscall is issued, just return Operation not permitted +SystemCallErrorNumber=EPERM