From e3618ba243a881e01ada64aaab68e131fe90d6c8 Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Wed, 8 Mar 2023 19:25:41 +0000 Subject: [PATCH] Fix sandboxing of smokeping exporter --- cookbooks/prometheus/recipes/smokeping.rb | 3 +++ cookbooks/prometheus/resources/exporter.rb | 6 ++++++ cookbooks/systemd/resources/service.rb | 2 ++ cookbooks/systemd/templates/default/service.erb | 3 +++ 4 files changed, 14 insertions(+) diff --git a/cookbooks/prometheus/recipes/smokeping.rb b/cookbooks/prometheus/recipes/smokeping.rb index 975f8a5c2..5f11d2c90 100644 --- a/cookbooks/prometheus/recipes/smokeping.rb +++ b/cookbooks/prometheus/recipes/smokeping.rb @@ -40,4 +40,7 @@ end prometheus_exporter "smokeping" do port 9374 options "--config.file=/etc/prometheus/exporters/smokeping.yml" + capability_bounding_set "CAP_NET_RAW" + ambient_capabilities "CAP_NET_RAW" + private_users false end diff --git a/cookbooks/prometheus/resources/exporter.rb b/cookbooks/prometheus/resources/exporter.rb index 782f84aa3..0e1d9d6e4 100644 --- a/cookbooks/prometheus/resources/exporter.rb +++ b/cookbooks/prometheus/resources/exporter.rb @@ -33,7 +33,10 @@ property :options, :kind_of => [String, Array] property :environment, :kind_of => Hash, :default => {} property :protect_proc, String property :proc_subset, String +property :capability_bounding_set, [String, Array] +property :ambient_capabilities, [String, Array] property :private_devices, [true, false] +property :private_users, [true, false] property :protect_clock, [true, false] property :restrict_address_families, [String, Array] property :remove_ipc, [true, false] @@ -58,7 +61,10 @@ action :create do sandbox :enable_network => true protect_proc new_resource.protect_proc if new_resource.property_is_set?(:protect_proc) proc_subset new_resource.proc_subset if new_resource.property_is_set?(:proc_subset) + capability_bounding_set new_resource.capability_bounding_set if new_resource.property_is_set?(:capability_bounding_set) + ambient_capabilities new_resource.ambient_capabilities if new_resource.property_is_set?(:ambient_capabilities) private_devices new_resource.private_devices if new_resource.property_is_set?(:private_devices) + private_users new_resource.private_users if new_resource.property_is_set?(:private_users) protect_clock new_resource.protect_clock if new_resource.property_is_set?(:protect_clock) restrict_address_families new_resource.restrict_address_families if new_resource.property_is_set?(:restrict_address_families) remove_ipc new_resource.remove_ipc if new_resource.property_is_set?(:remove_ipc) diff --git a/cookbooks/systemd/resources/service.rb b/cookbooks/systemd/resources/service.rb index 35655dc7a..e82b33fb0 100644 --- a/cookbooks/systemd/resources/service.rb +++ b/cookbooks/systemd/resources/service.rb @@ -68,6 +68,7 @@ property :protect_proc, String, property :proc_subset, String, :is => %w[all pid] property :capability_bounding_set, [String, Array] +property :ambient_capabilities, [String, Array] property :no_new_privileges, [true, false] property :protect_system, [true, false, String] property :protect_home, [true, false, String] @@ -118,6 +119,7 @@ action :create do service_variables[:protect_proc] = "invisible" unless property_is_set?(:protect_proc) service_variables[:proc_subset] = "pid" unless property_is_set?(:proc_subset) service_variables[:capability_bounding_set] = [] unless property_is_set?(:capability_bounding_set) + service_variables[:ambient_capabilities] = [] unless property_is_set?(:ambient_capabilities) service_variables[:no_new_privileges] = true unless property_is_set?(:no_new_privileges) service_variables[:protect_system] = "strict" unless property_is_set?(:protect_system) service_variables[:protect_home] = true unless property_is_set?(:protect_home) diff --git a/cookbooks/systemd/templates/default/service.erb b/cookbooks/systemd/templates/default/service.erb index a4ff29fa9..1172d0b96 100644 --- a/cookbooks/systemd/templates/default/service.erb +++ b/cookbooks/systemd/templates/default/service.erb @@ -145,6 +145,9 @@ NoNewPrivileges=<%= @no_new_privileges %> <% if @capability_bounding_set -%> CapabilityBoundingSet=<%= Array(@capability_bounding_set).sort.uniq.join(" ") %> <% end -%> +<% if @ambient_capabilities -%> +AmbientCapabilities=<%= Array(@ambient_capabilities).sort.uniq.join(" ") %> +<% end -%> <% if @protect_system -%> ProtectSystem=<%= @protect_system %> <% end -%> -- 2.39.5