Systemd Adds New "ProtectSystem Strict" Option, Other New Tunables
Landing over night in systemd Git were several new tunables for offering better system security/protection. The systemd-udevd.service is also now run in a Seccomp-based sandbox to prohibit any network access.
One of the new tunables is ProtectKernelTunables=. The ProtectKernelTunables option makes kernel variables via /proc/sys, /proc/acpi, and some other /proc interfaces read-only to all processes of the unit.
The ProtectControlGroups= tunable makes the cgroups hierarchies through /sys/fs/cgroups now read-only to all processes of the units. With the exception of container managers, systemd is seeking to block other services from having write-access to the Linux Control Groups hierarchies.
Lastly, the ProtectSystem= tunable now accepts a strict argument. When ProtectSystem is set to the strict mode, the entire file-system hierarchy is mounted read-only except for API file-system sub-trees of /dev, /proc, and /sys while those directories can be further protected with the ProtectControlGroups, ProtectKernelTunables, and PrivateDevices tunables).
Ultimately systemd developers are looking at setting ProtectSystem=strict for all long-running services to for further lock-down where services have write-access.
Those wishing to learn more about these latest additions to systemd that add more than one thousand lines of new code can see this Git merge with all of the details.
One of the new tunables is ProtectKernelTunables=. The ProtectKernelTunables option makes kernel variables via /proc/sys, /proc/acpi, and some other /proc interfaces read-only to all processes of the unit.
The ProtectControlGroups= tunable makes the cgroups hierarchies through /sys/fs/cgroups now read-only to all processes of the units. With the exception of container managers, systemd is seeking to block other services from having write-access to the Linux Control Groups hierarchies.
Lastly, the ProtectSystem= tunable now accepts a strict argument. When ProtectSystem is set to the strict mode, the entire file-system hierarchy is mounted read-only except for API file-system sub-trees of /dev, /proc, and /sys while those directories can be further protected with the ProtectControlGroups, ProtectKernelTunables, and PrivateDevices tunables).
Ultimately systemd developers are looking at setting ProtectSystem=strict for all long-running services to for further lock-down where services have write-access.
Those wishing to learn more about these latest additions to systemd that add more than one thousand lines of new code can see this Git merge with all of the details.
43 Comments