From: Tom Hughes Date: Wed, 2 Nov 2022 22:46:07 +0000 (+0000) Subject: Improve filesystem sandboxing for some services X-Git-Url: https://git.openstreetmap.org./chef.git/commitdiff_plain/111155132a3e59d63cd3f8c0e1bbf71905c06051 Improve filesystem sandboxing for some services --- diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb index 7ab10d8f4..db2057372 100644 --- a/cookbooks/dev/recipes/default.rb +++ b/cookbooks/dev/recipes/default.rb @@ -292,8 +292,9 @@ if node[:postgresql][:clusters][:"14/main"] nice 10 private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true + read_write_directories "/srv/%i.apis.dev.openstreetmap.org/logs" no_new_privileges true end @@ -306,8 +307,9 @@ if node[:postgresql][:clusters][:"14/main"] exec_reload "/bin/kill -HUP $MAINPID" private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true + read_write_directories ["/srv/%i.apis.dev.openstreetmap.org/logs", "/srv/%i.apis.dev.openstreetmap.org/rails/tmp"] no_new_privileges true restart "on-failure" end diff --git a/cookbooks/geodns/recipes/default.rb b/cookbooks/geodns/recipes/default.rb index c006ff9dc..3a166262c 100644 --- a/cookbooks/geodns/recipes/default.rb +++ b/cookbooks/geodns/recipes/default.rb @@ -76,7 +76,7 @@ systemd_service "gdnsd-reload" do standard_output "null" private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true no_new_privileges true end diff --git a/cookbooks/gps-tile/recipes/default.rb b/cookbooks/gps-tile/recipes/default.rb index f4db96412..bc4e4c637 100644 --- a/cookbooks/gps-tile/recipes/default.rb +++ b/cookbooks/gps-tile/recipes/default.rb @@ -96,8 +96,9 @@ systemd_service "gps-update" do nice 10 private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true + read_write_directories "/srv/gps-tile.openstreetmap.org" no_new_privileges true restart "on-failure" end diff --git a/cookbooks/prometheus/recipes/server.rb b/cookbooks/prometheus/recipes/server.rb index c72e53cbd..84b34afc2 100644 --- a/cookbooks/prometheus/recipes/server.rb +++ b/cookbooks/prometheus/recipes/server.rb @@ -350,7 +350,7 @@ systemd_service "prometheus-karma" do exec_start "/opt/prometheus-server/karma/karma-linux-amd64 --config.file=/etc/prometheus/karma.yml" private_tmp true private_devices true - protect_system "full" + protect_system "strict" protect_home true no_new_privileges true restart "on-failure"