From 111155132a3e59d63cd3f8c0e1bbf71905c06051 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 2 Nov 2022 22:46:07 +0000
Subject: [PATCH] Improve filesystem sandboxing for some services

---
 cookbooks/dev/recipes/default.rb       | 6 ++++--
 cookbooks/geodns/recipes/default.rb    | 2 +-
 cookbooks/gps-tile/recipes/default.rb  | 3 ++-
 cookbooks/prometheus/recipes/server.rb | 2 +-
 4 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/cookbooks/dev/recipes/default.rb b/cookbooks/dev/recipes/default.rb
index 7ab10d8f4..db2057372 100644
--- a/cookbooks/dev/recipes/default.rb
+++ b/cookbooks/dev/recipes/default.rb
@@ -292,8 +292,9 @@ if node[:postgresql][:clusters][:"14/main"]
     nice 10
     private_tmp true
     private_devices true
-    protect_system "full"
+    protect_system "strict"
     protect_home true
+    read_write_directories "/srv/%i.apis.dev.openstreetmap.org/logs"
     no_new_privileges true
   end
 
@@ -306,8 +307,9 @@ if node[:postgresql][:clusters][:"14/main"]
     exec_reload "/bin/kill -HUP $MAINPID"
     private_tmp true
     private_devices true
-    protect_system "full"
+    protect_system "strict"
     protect_home true
+    read_write_directories ["/srv/%i.apis.dev.openstreetmap.org/logs", "/srv/%i.apis.dev.openstreetmap.org/rails/tmp"]
     no_new_privileges true
     restart "on-failure"
   end
diff --git a/cookbooks/geodns/recipes/default.rb b/cookbooks/geodns/recipes/default.rb
index c006ff9dc..3a166262c 100644
--- a/cookbooks/geodns/recipes/default.rb
+++ b/cookbooks/geodns/recipes/default.rb
@@ -76,7 +76,7 @@ systemd_service "gdnsd-reload" do
   standard_output "null"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
   no_new_privileges true
 end
diff --git a/cookbooks/gps-tile/recipes/default.rb b/cookbooks/gps-tile/recipes/default.rb
index f4db96412..bc4e4c637 100644
--- a/cookbooks/gps-tile/recipes/default.rb
+++ b/cookbooks/gps-tile/recipes/default.rb
@@ -96,8 +96,9 @@ systemd_service "gps-update" do
   nice 10
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
+  read_write_directories "/srv/gps-tile.openstreetmap.org"
   no_new_privileges true
   restart "on-failure"
 end
diff --git a/cookbooks/prometheus/recipes/server.rb b/cookbooks/prometheus/recipes/server.rb
index c72e53cbd..84b34afc2 100644
--- a/cookbooks/prometheus/recipes/server.rb
+++ b/cookbooks/prometheus/recipes/server.rb
@@ -350,7 +350,7 @@ systemd_service "prometheus-karma" do
   exec_start "/opt/prometheus-server/karma/karma-linux-amd64 --config.file=/etc/prometheus/karma.yml"
   private_tmp true
   private_devices true
-  protect_system "full"
+  protect_system "strict"
   protect_home true
   no_new_privileges true
   restart "on-failure"
-- 
2.39.5