TemporaryFileSystem=/ can be used to limit the file system with just some necessary paths set by BindReadOnlyPaths/BindPaths to some files, depending on what the service needs. This does not mount /proc and /sys. There are some [service] settings regarding proc such as: ProtectProc, ProtectKernelTunables, ProtectControlGroups, ProcSubset which re-introduce /proc. My question is if their most protective functions are active just because /proc is not present. If so, systemd-analyze security could be improved by recognizing that /proc isn't available. Examples: ProtectProc=invisible ProtectKernelTunables=true ProtectControlGroups=true ProcSubset=pid On another note, ProtectHostname=true seems to cause a systemd error in a limited file system. Any insights are appreciated.
Proc protection of services and TemporaryFileSystem=/
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Proc protection of services and TemporaryFileSystem=/
- From: John <johnbast@xxxxxxxxxxxxxx>
- Date: Tue, 21 Sep 2021 05:18:34 +0000
- Reply-to: John <johnbast@xxxxxxxxxxxxxx>
- Prev by Date: Re: Pre-installed portable services ?
- Next by Date: Re: Pre-installed portable services ?
- Previous by thread: Pre-installed portable services ?
- Next by thread: What are the use cases of journalctl --flush ?
- Index(es):
 |