Revision as of 23:57, 14 November 2023

Enable systemd service hardening for default services

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Improve security of default services by enabling some of the high impact systemd service hardening knobs for all default services.

Owner

-->

Name: Rahul Sundaram
Email: metherid@gmail.com

Current status

Targeted release: <VERSION>/ Fedora Linux <VERSION>
Last updated: 2023-11-14
[<will be assigned by the Wrangler> devel thread]
FESCo issue: <will be assigned by the Wrangler>
Tracker bug: <will be assigned by the Wrangler>
Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The specific toggles under consideration include the following

PrivateTmp=true
ProtectSystem=true
ProtectHome=true
PrivateDevices=true
ProtectKernelTunables=true
ProtectControlGroups=true
NoNewPrivileges=true

We will enable as many of these as feasible for the service but not every toggle is going to be applicable to every service. For example, ProtectHome wouldn't work for any of the systemd user services and ProtectSystem wouldn't work for system services that need to access configuration in /etc

Feedback

Benefit to Fedora

Scope

Proposal owners:

Other developers:

Release engineering: #Releng issue number

Policies and guidelines: N/A (not needed for this Change)

Trademark approval: N/A (not needed for this Change)

Alignment with Community Initiatives:

Upgrade/compatibility impact

How To Test

User Experience

Dependencies

Contingency Plan

Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
Contingency deadline: N/A (not a System Wide Change)
Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

N/A (not a System Wide Change)

Release Notes

@@ Line 1: / Line 1: @@
-{{admon/important | Comments and Explanations | The page source contains comments providing guidance to fill out each section. They are invisible when viewing this page. To read it, choose the "view source" link.<br/> '''Copy the source to a ''new page'' before making changes!  DO NOT EDIT THIS TEMPLATE FOR YOUR CHANGE PROPOSAL.'''}}
-{{admon/tip | Guidance | For details on how to fill out this form, see the [https://docs.fedoraproject.org/en-US/program_management/changes_guide/ documentation].}}
-{{admon/tip | Report issues | To report an issue with this template, file an issue in the [https://pagure.io/fedora-pgm/pgm_docs pgm_docs repo].}}
 <!-- The actual name of your proposed change page should look something like: Changes/Your_Change_Proposal_Name.  This keeps all change proposals in the same namespace -->
-= Change Proposal Name <!-- The name of your change proposal --> =
+= Enable systemd service hardening for default services =
 {{Change_Proposal_Banner}}
 == Summary ==
-<!-- A sentence or two summarizing what this change is and what it will do. This information is used for the overall changeset summary page for each release. Note that motivation for the change should be in the Benefit to Fedora section below, and this part should answer the question "What?" rather than "Why?". -->
+Improve security of default services by enabling some of the high impact systemd service hardening knobs for all default services.
 == Owner ==
-<!--
-For change proposals to qualify as self-contained, owners of all affected packages need to be included here. Alternatively, a SIG can be listed as an owner if it owns all affected packages.
-This should link to your home wiki page so we know who you are.
 -->
-* Name: [[User:FASAcountName| Your Name]]
+* Name: [[User:Sundaram| Rahul Sundaram]]
-<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. -->
+* Email: metherid@gmail.com
-* Email: <your email address so we can contact you, invite you to meetings, etc. Please provide your Bugzilla email address if it is different from your email in FAS>
 <!--- UNCOMMENT only for Changes with assigned Shepherd (by FESCo)
 * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address>
@@ Line 34: / Line 25: @@
 <!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
-<!-- Select proper category, default is Self Contained Change -->
+[[Category:SystemWideChange]]
-[[Category:SelfContainedChange]]
-<!-- [[Category:SystemWideChange]] -->
 * Targeted release: [https://docs.fedoraproject.org/en-US/releases/f<VERSION>/ Fedora Linux <VERSION>]
@@ Line 52: / Line 41: @@
 == Detailed Description ==
-<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
+The specific toggles under consideration include the following
+* PrivateTmp=true
+* ProtectSystem=true
+* ProtectHome=true
+* PrivateDevices=true
+* ProtectKernelTunables=true
+* ProtectControlGroups=true
+* NoNewPrivileges=true
+We will enable as many of these as feasible for the service but not every toggle is going to be applicable to every service. For example, ProtectHome wouldn't work for any of the systemd user services and ProtectSystem wouldn't work for system services that need to access configuration in /etc
 == Feedback ==

Search

Changes/SystemdSecurityHardening: Difference between revisions