Improve filesystem sandboxing for some services

author Tom Hughes <tom@compton.nu>

Wed, 2 Nov 2022 22:46:07 +0000 (22:46 +0000)

committer Tom Hughes <tom@compton.nu>

Wed, 2 Nov 2022 22:46:07 +0000 (22:46 +0000)
author Tom Hughes <tom@compton.nu>
Wed, 2 Nov 2022 22:46:07 +0000 (22:46 +0000)
committer Tom Hughes <tom@compton.nu>
Wed, 2 Nov 2022 22:46:07 +0000 (22:46 +0000)
diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb

index 7ab10d8f47ed9af1ad5aadad1f0afc954e7ed40a..db2057372489085c7d582d39e9c5e698bab1cc9b 100644 (file)
--- a/cookbooks/dev/recipes/default.rb
+++ b/cookbooks/dev/recipes/default.rb
@@ -292,8 +292,9 @@ if node[:postgresql][:clusters][:"14/main"]
      nice 10
      private_tmp true
      private_devices true
-    protect_system "full"
+    protect_system "strict"
      protect_home true
+    read_write_directories "/srv/%i.apis.dev.openstreetmap.org/logs"
      no_new_privileges true
    end
  
@@ -306,8 +307,9 @@ if node[:postgresql][:clusters][:"14/main"]
      exec_reload "/bin/kill -HUP $MAINPID"
      private_tmp true
      private_devices true
-    protect_system "full"
+    protect_system "strict"
      protect_home true
+    read_write_directories ["/srv/%i.apis.dev.openstreetmap.org/logs", "/srv/%i.apis.dev.openstreetmap.org/rails/tmp"]
      no_new_privileges true
      restart "on-failure"
    end
diff --git a/cookbooks/geodns/recipes/default.rb b/cookbooks/geodns/recipes/default.rb

index c006ff9dcff4827a40a3322152ce19adf9589c24..3a166262c0e5669a297f7b2023df57be7462a2a9 100644 (file)
--- a/cookbooks/geodns/recipes/default.rb
+++ b/cookbooks/geodns/recipes/default.rb
@@ -76,7 +76,7 @@ systemd_service "gdnsd-reload" do
    standard_output "null"
    private_tmp true
    private_devices true
-  protect_system "full"
+  protect_system "strict"
    protect_home true
    no_new_privileges true
  end
diff --git a/cookbooks/gps-tile/recipes/default.rb b/cookbooks/gps-tile/recipes/default.rb

index f4db96412858f51cc9530bd1be535ae0a03c5180..bc4e4c6373da5bb7dc379014946871ffa198ce89 100644 (file)
--- a/cookbooks/gps-tile/recipes/default.rb
+++ b/cookbooks/gps-tile/recipes/default.rb
@@ -96,8 +96,9 @@ systemd_service "gps-update" do
    nice 10
    private_tmp true
    private_devices true
-  protect_system "full"
+  protect_system "strict"
    protect_home true
+  read_write_directories "/srv/gps-tile.openstreetmap.org"
    no_new_privileges true
    restart "on-failure"
  end
diff --git a/cookbooks/prometheus/recipes/server.rb b/cookbooks/prometheus/recipes/server.rb

index c72e53cbd03d0edaf5b04d3c5e53e1844426d5b6..84b34afc2620e1d56b16301488ef090148df0d97 100644 (file)
--- a/cookbooks/prometheus/recipes/server.rb
+++ b/cookbooks/prometheus/recipes/server.rb
@@ -350,7 +350,7 @@ systemd_service "prometheus-karma" do
    exec_start "/opt/prometheus-server/karma/karma-linux-amd64 --config.file=/etc/prometheus/karma.yml"
    private_tmp true
    private_devices true
-  protect_system "full"
+  protect_system "strict"
    protect_home true
    no_new_privileges true
    restart "on-failure"
author	Tom Hughes <tom@compton.nu>
	Wed, 2 Nov 2022 22:46:07 +0000 (22:46 +0000)
committer	Tom Hughes <tom@compton.nu>
	Wed, 2 Nov 2022 22:46:07 +0000 (22:46 +0000)
cookbooks/dev/recipes/default.rb		patch \| blob \| history
cookbooks/geodns/recipes/default.rb		patch \| blob \| history
cookbooks/gps-tile/recipes/default.rb		patch \| blob \| history
cookbooks/prometheus/recipes/server.rb		patch \| blob \| history