No edit summary |
No edit summary |
||
Line 44: | Line 44: | ||
* `PrivateTmp=yes` | * `PrivateTmp=yes` | ||
* `ProtectSystem=yes/full/strict` | * `ProtectSystem=yes/full/strict` | ||
* `ProtectHome=yes` | * `ProtectHome=yes/read-only` | ||
* `PrivateDevices=yes` | * `PrivateDevices=yes` | ||
* `ProtectKernelTunables=yes` | * `ProtectKernelTunables=yes` | ||
Line 64: | Line 64: | ||
* Proposal owners: Pull requests to enable various security features to services available by default and other high profile services. | * Proposal owners: Pull requests to enable various security features to services available by default and other high profile services. | ||
* Other developers: Review PRs as needed | * Other developers: Review PRs as needed | ||
* Release engineering: | * Release engineering: https://pagure.io/releng/issue/11785 | ||
* Policies and guidelines: | * Policies and guidelines: | ||
Packaging guidelines will have to be modified to add recommendations to use more of the systemd security features by default. In particular, we should add a security settings section in https://fedoraproject.org/wiki/Packaging:Systemd. Sample text: | |||
Systemd services included in Fedora are recommended to use as many of the following security settings as applicable while maintaining the default functionality of the service. | |||
* `PrivateTmp=yes` | |||
* `ProtectSystem=yes/full/strict` | |||
* `ProtectHome=yes` | |||
* `PrivateDevices=yes` | |||
* `ProtectKernelTunables=yes` | |||
* `ProtectKernelModules=yes` | |||
* `ProtectControlGroups=yes` | |||
* `NoNewPrivileges=yes` | |||
* `PrivateNetwork=yes` | |||
The full list of sandboxing features are available in https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing. Note that if you are submitting changes to upstream as recommended, systemd will warn and ignore any of these features it doesn't support. So it should be safe for upstream to enable as many of these features as applicable and not worry about distribution support for ones using older versions of systemd. | |||
* Trademark approval: N/A | * Trademark approval: N/A | ||
Line 89: | Line 105: | ||
== Documentation == | == Documentation == | ||
* https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html | * https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing | ||
* https://www.redhat.com/sysadmin/systemd-secure-services | * https://www.redhat.com/sysadmin/systemd-secure-services | ||
* https://www.redhat.com/sysadmin/mastering-systemd | * https://www.redhat.com/sysadmin/mastering-systemd |
Revision as of 00:59, 16 November 2023
Enable systemd service hardening features for default and high profile services
Summary
Improve security by enabling some of the high level systemd security hardening settings that isolate and sandbox default and high profile services.
Owner
- Name: Rahul Sundaram
- Email: metherid@gmail.com
- Targeted release: Fedora 40
- Last updated: 2023-11-16
- [<will be assigned by the Wrangler> devel thread]
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
systemd provides a number of knobs that can harden security for services. We are selecting a few high level ones to enable by default. These need to be configured on a per service basis instead of global override to avoid impacting users on upgrades.
PrivateTmp=yes
ProtectSystem=yes/full/strict
ProtectHome=yes/read-only
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
NoNewPrivileges=yes
PrivateNetwork=yes
We will enable as many of these as feasible for the services but not every knob is going to be applicable to every service. For example, ProtectHome=yes
wouldn't work for any of the systemd user services, but ProtectHome=read-only
might and PrivateNetwork=yes
can only be used for services that work purely locally. Ideally we cover all the default services as well as some of the most commonly used services such as Nginx or PostgreSQL.
Feedback
Benefit to Fedora
Fedora services will get a significant security boost by default by avoiding or mitigating any unknown security vulnerabilities in these services.
Scope
- Proposal owners: Pull requests to enable various security features to services available by default and other high profile services.
- Other developers: Review PRs as needed
- Release engineering: https://pagure.io/releng/issue/11785
- Policies and guidelines:
Packaging guidelines will have to be modified to add recommendations to use more of the systemd security features by default. In particular, we should add a security settings section in https://fedoraproject.org/wiki/Packaging:Systemd. Sample text:
Systemd services included in Fedora are recommended to use as many of the following security settings as applicable while maintaining the default functionality of the service.
PrivateTmp=yes
ProtectSystem=yes/full/strict
ProtectHome=yes
PrivateDevices=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectControlGroups=yes
NoNewPrivileges=yes
PrivateNetwork=yes
The full list of sandboxing features are available in https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing. Note that if you are submitting changes to upstream as recommended, systemd will warn and ignore any of these features it doesn't support. So it should be safe for upstream to enable as many of these features as applicable and not worry about distribution support for ones using older versions of systemd.
- Trademark approval: N/A
Upgrade/compatibility impact
Packages will automatically get additional security features enabled by default transparently.
How To Test
You can use tools like systemd-analyze security
and systemctl cat
to verify that specific security features are enabled by default. Default services should have no adverse impact and users shouldn't have to do anything beyond using the software as intended and report any regressions. High profile services not installed by default that gain these security features would benefit from more targeting testing to spot any unintended consequences especially for niche or advanced functionality.
User Experience
This should be a fully transparent change for users.
Dependencies
None. We are merely enabling some long supported systemd features by default for default and high profile services.
Contingency Plan
- Contingency mechanism: These settings can be enabled/disabled at a per service level. No wholesale reverts is necessary. If we don't finish the work for all the services, we can follow up in future releases.
- Contingency deadline: N/A
- Blocks release? No
Documentation
- https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing
- https://www.redhat.com/sysadmin/systemd-secure-services
- https://www.redhat.com/sysadmin/mastering-systemd
Release Notes
systemd security hardening features are enabled for default services and following high profile services.
- Postgres
- Apache Httpd
- Nginx
- MariaDB
....
If you wish to turn off any particular settings, you can follow the standard systemd method of overriding the config. For example,
$ cat /etc/systemd/system/httpd.service.d/override.conf
[Service]
ProtectHome=no
$ sudo systemctl daemon-reload
$ sudo systemctl restart httpd.service
$ sudo systemctl status httpd.service
$ systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─override.conf
Active: active (running) since Mon 2023-11-15 18:29:25 EST; 3min 30s ago