Systemd Sandboxing to log2ram-daily.service & log2ram.service. #195
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I understand the need of cgroupv2 for the service, but is it necessary for the timer command (log2ram-daily.service) ? |
|
As a measure of added precaution, in theory, it is better to have than not have. This conclusion is derived from the systemd manual "systemd 251" subsection "ProtectControlGroups." There appear to be no downsides to adding it at least from my cursory testing. tldr: not necessary but wouldn't hurt to have. PS I'm mildly disappointed that GitHub won't let me add a cat emoji here lol. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I have added some common Systemd sandboxing options. The additions seek to move the services toward a posture of securer defaults. It is best practice to implement such restrictions to long running services. Furthermore, despite my personal aversion to reading them, logs are a critical element of system security.
My pull request changes the output of:
systemd-analyze security log2ram.service && systemd-analyze security log2ram-daily.servicefrom ~9 (unsafe) to ~ 6 (medium).
Some added options have comments below them regarding possible lost functionality. It is up to the developer to determine whether to include those specific lines, i.e. whether to maximize user friendliness or not. If those lines were removed, the end-user could simply add it themselves if they wanted to, so it's not that important anyways.
For background context on Systemd-Sandboxing, see: link
I will accept chin scritchies as a token of appreciation.
Friendly meows,
TubbyCat