Improve filesystem sandboxing for tile services

[chef.git] / cookbooks / tile / recipes / default.rb

diff --git a/cookbooks/tile/recipes/default.rb b/cookbooks/tile/recipes/default.rb
index 36c3185696e5a29e87b69abae578981e0d897999..576c0f6adf080718f0e35dd637bac1b208a8964c 100644 (file)
--- a/cookbooks/tile/recipes/default.rb
+++ b/cookbooks/tile/recipes/default.rb
@@ -284,8 +284,12 @@ systemd_service "update-lowzoom@" do
   private_tmp true
   private_devices true
   private_network true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/srv/tile.openstreetmap.org/tiles/%i",
+    "/var/log/tile"
+  ]
   no_new_privileges true
   restart "on-failure"
 end
@@ -362,19 +366,15 @@ node[:tile][:styles].each do |name, details|
     group "tile"
   end
 
-  link "#{style_directory}/fonts" do
-    to "/srv/tile.openstreetmap.org/fonts"
-    owner "tile"
-    group "tile"
-  end
-
-  execute "#{style_directory}/fonts" do
-    action :nothing
-    command "scripts/get-fonts.sh"
-    cwd style_directory
-    user "tile"
-    group "tile"
-    subscribes :run, "git[#{style_directory}]"
+  if details[:fonts_script]
+    execute details[:fonts_script] do
+      action :nothing
+      command details[:fonts_script]
+      cwd style_directory
+      user "tile"
+      group "tile"
+      subscribes :run, "git[#{style_directory}]"
+    end
   end
 
   execute "#{style_directory}/project.mml" do
@@ -404,6 +404,11 @@ postgresql_user "tomh" do
   superuser true
 end
 
+postgresql_user "pnorman" do
+  cluster node[:tile][:database][:cluster]
+  superuser true
+end
+
 postgresql_user "tile" do
   cluster node[:tile][:database][:cluster]
 end
@@ -541,10 +546,11 @@ systemd_service "tile-ratelimit" do
   user "tile"
   group "adm"
   exec_start "/usr/local/bin/tile-ratelimit"
+  nice 10
   private_tmp true
   private_devices true
   private_network true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
   read_write_paths "/srv/tile.openstreetmap.org/conf"
   no_new_privileges true
@@ -589,11 +595,17 @@ systemd_service "expire-tiles" do
   type "simple"
   user "_renderd"
   exec_start "/usr/local/bin/expire-tiles"
+  nice 10
   standard_output "null"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/srv/tile.openstreetmap.org/tiles/%i",
+    "/var/lib/replicate/expire-queue",
+    "/var/log/tile"
+  ]
   no_new_privileges true
 end
 
@@ -615,8 +627,13 @@ systemd_service "replicate" do
   exec_start "/usr/local/bin/replicate"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths [
+    "/store/database/nodes",
+    "/var/lib/replicate",
+    "/var/log/tile"
+  ]
   no_new_privileges true
   restart "on-failure"
 end
@@ -649,8 +666,9 @@ systemd_service "render-lowzoom" do
   private_tmp true
   private_devices true
   private_network true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_paths "/var/log/tile"
   no_new_privileges true
 end