packaging/systemd: restrict permissions

Forwarder does not need that many permissions, we can restrict it to minimum. CAP_NET_BIND_SERVICE can be used to allow this user to bind to a port < 1024 if desired. The work is based on wireproxy's systemd configuration[1]. Also I found systemd service hardening doc[2] helpful. DynamicUser/Strict system protection didn't work as package installs forwarder binary at /usr/bin. [1] pufferffish/wireproxy#103. [2] https://gist.github.com/ageis/f5595e59b1cddb1513d1b425a323db04
saucelabs · Apr 8, 2024 · 79703de · 79703de
1 parent be30d92
commit 79703de
Showing 1 changed file with 31 additions and 4 deletions.
diff --git a/packaging/systemd/forwarder.service b/packaging/systemd/forwarder.service
@@ -6,17 +6,44 @@ After=network-online.target
 Type=simple
 User=forwarder
 Group=forwarder
-LimitCORE=infinity
-EnvironmentFile=/etc/default/forwarder
 ExecStart=/usr/bin/forwarder run
-TimeoutStartSec=900
-TimeoutStopSec=900
+EnvironmentFile=/etc/default/forwarder
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+LockPersonality=true
+ProcSubset=pid
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+# Uncomment the following lines if your service requires binding to ports <1024.
+#AmbientCapabilities=CAP_NET_BIND_SERVICE
+#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
 KillMode=process
 Restart=on-failure
+RestartSec=30s
 RestartPreventExitStatus=1
+TimeoutStartSec=60
+TimeoutStopSec=600
+
+SyslogIdentifier=forwarder
 StandardOutput=journal
 StandardError=journal
 SyslogLevelPrefix=false
 
+LimitCORE=infinity
+LimitNPROC=64
+
 [Install]
 WantedBy=multi-user.target