Enable systemd service hardening for default services

This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.

Summary

Improve security of default services by enabling some of the high impact systemd service hardening knobs for all default services.

Owner

-->

• Name: Rahul Sundaram
• Email: metherid@gmail.com

Current status

• Targeted release: <VERSION>/ Fedora Linux <VERSION>
• Last updated: 2023-11-14
• [<will be assigned by the Wrangler> devel thread]
• FESCo issue: <will be assigned by the Wrangler>
• Tracker bug: <will be assigned by the Wrangler>
• Release notes tracker: <will be assigned by the Wrangler>

Detailed Description

The specific toggles under consideration include the following

• PrivateTmp=true
• ProtectSystem=true
• ProtectHome=true
• PrivateDevices=true
• ProtectKernelTunables=true
• ProtectControlGroups=true
• NoNewPrivileges=true

We will enable as many of these as feasible for the service but not every toggle is going to be applicable to every service. For example, ProtectHome wouldn't work for any of the systemd user services and ProtectSystem wouldn't work for system services that need to access configuration in /etc

Feedback

Benefit to Fedora

Scope

• Proposal owners:

• Other developers:

• Release engineering: #Releng issue number

• Policies and guidelines: N/A (not needed for this Change)

• Trademark approval: N/A (not needed for this Change)

• Alignment with Community Initiatives:

Upgrade/compatibility impact

How To Test

User Experience

Dependencies

Contingency Plan

• Contingency mechanism: (What to do? Who will do it?) N/A (not a System Wide Change)
• Contingency deadline: N/A (not a System Wide Change)
• Blocks release? N/A (not a System Wide Change), Yes/No

Documentation

N/A (not a System Wide Change)

Release Notes