Merge bitcoin/bitcoin#28340: security: restrict abis in bitcoind.service

0244416 security: restrict abis in bitcoind.service (Charlie) Pull request description: [As noted here](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=), it's a good idea to pair `MemoryDenyWriteExecute=true` with `SystemCallArchitectures=native` because `MemoryDenyWriteExecute` can be circumvented in some operating systems which support multiple ABIs like x86/x86-64. This helps restrict the possible application binary interfaces (ABIs) that can be used when running bitcoind through systemd, reducing the attack surface area. ACKs for top commit: laanwj: ACK 0244416 . This is a sensible security feature. 0xB10C: ACK 0244416 Tree-SHA512: 77a35b0674d8d67d857cd20ae1b8cd011f82d6f5ed21bc106cbe45bfa937e786ddc1bf7261e3bdb8c289df1224e91658760905d2c8f37cc4c6506ef8037ad158
bitcoin-core · Apr 17, 2024 · dbd2000 · dbd2000
2 parents 003785c + 0244416
commit dbd2000
Showing 1 changed file with 3 additions and 0 deletions.
diff --git a/contrib/init/bitcoind.service b/contrib/init/bitcoind.service
@@ -81,5 +81,8 @@ PrivateDevices=true
 # Deny the creation of writable and executable memory mappings.
 MemoryDenyWriteExecute=true
 
+# Restrict ABIs to help ensure MemoryDenyWriteExecute is enforced
+SystemCallArchitectures=native
+
 [Install]
 WantedBy=multi-user.target