]> git.openstreetmap.org Git - chef.git/blobdiff - cookbooks/tile/recipes/default.rb
Improve filesystem sandboxing for tile services
[chef.git] / cookbooks / tile / recipes / default.rb
index d726a2220cb6783ca1179403a7f455fd9aab5447..576c0f6adf080718f0e35dd637bac1b208a8964c 100644 (file)
@@ -284,8 +284,12 @@ systemd_service "update-lowzoom@" do
   private_tmp true
   private_devices true
   private_network true
   private_tmp true
   private_devices true
   private_network true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
   protect_home true
+  read_write_paths [
+    "/srv/tile.openstreetmap.org/tiles/%i",
+    "/var/log/tile"
+  ]
   no_new_privileges true
   restart "on-failure"
 end
   no_new_privileges true
   restart "on-failure"
 end
@@ -546,7 +550,7 @@ systemd_service "tile-ratelimit" do
   private_tmp true
   private_devices true
   private_network true
   private_tmp true
   private_devices true
   private_network true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
   read_write_paths "/srv/tile.openstreetmap.org/conf"
   no_new_privileges true
   protect_home true
   read_write_paths "/srv/tile.openstreetmap.org/conf"
   no_new_privileges true
@@ -595,8 +599,13 @@ systemd_service "expire-tiles" do
   standard_output "null"
   private_tmp true
   private_devices true
   standard_output "null"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
   protect_home true
+  read_write_paths [
+    "/srv/tile.openstreetmap.org/tiles/%i",
+    "/var/lib/replicate/expire-queue",
+    "/var/log/tile"
+  ]
   no_new_privileges true
 end
 
   no_new_privileges true
 end
 
@@ -618,8 +627,13 @@ systemd_service "replicate" do
   exec_start "/usr/local/bin/replicate"
   private_tmp true
   private_devices true
   exec_start "/usr/local/bin/replicate"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
   protect_home true
+  read_write_paths [
+    "/store/database/nodes",
+    "/var/lib/replicate",
+    "/var/log/tile"
+  ]
   no_new_privileges true
   restart "on-failure"
 end
   no_new_privileges true
   restart "on-failure"
 end
@@ -652,8 +666,9 @@ systemd_service "render-lowzoom" do
   private_tmp true
   private_devices true
   private_network true
   private_tmp true
   private_devices true
   private_network true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
   protect_home true
+  read_write_paths "/var/log/tile"
   no_new_privileges true
 end
 
   no_new_privileges true
 end