RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-04-11 04:02:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

systemd: lock down more privileges

Browse Source 
Including:

        ProtectClock=true
        ProtectHostname=true
        ProtectKernelLogs=true
        RestrictSUIDSGID=true

Also, alphabetize [service] settings.

Finally, add some protections for
systemd/ceph-immutable-object-cache@.service.in present in our other
service files but not this one.

Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
This commit is contained in:
Patrick Donnelly 2020-05-09 14:41:47 -07:00
parent ba805463ec
commit 9a84d5a09b
No known key found for this signature in database
GPG Key ID: 3A2A7E25BEA8AADB
8 changed files with 96 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
systemd/ceph-fuse@.service.in
View File

@ -6,21 +6,25 @@ Conflicts=umount.target
PartOf=ceph-fuse.target
[Service]
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
EnvironmentFile=-@SYSTEMD_ENV_FILE@
ExecStart=/usr/bin/ceph-fuse -f --cluster ${CLUSTER} %I
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
# ceph-fuse requires access to /dev fuse device
PrivateDevices=no
ProtectClock=true
ProtectControlGroups=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
TasksMax=infinity
Restart=on-failure
StartLimitInterval=30min
RestrictSUIDSGID=true
StartLimitBurst=3
StartLimitInterval=30min
TasksMax=infinity
[Install]
WantedBy=ceph-fuse.target

22
systemd/ceph-immutable-object-cache@.service.in
View File

@ -5,20 +5,26 @@ Wants=network-online.target local-fs.target
PartOf=ceph-immutable-object-cache.target
[Service]
LimitNOFILE=1048576
LimitNPROC=1048576
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/ceph-immutable-object-cache -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
EnvironmentFile=-@SYSTEMD_ENV_FILE@
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/ceph-immutable-object-cache -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=yes
ProtectHome=true
ProtectSystem=full
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Restart=on-failure
StartLimitInterval=30min
RestrictSUIDSGID=true
StartLimitBurst=3
TasksMax=infinity
[Install]
WantedBy=ceph-immutable-object-cache.target

18
systemd/ceph-mds@.service.in
View File

@ -5,26 +5,30 @@ Wants=network-online.target local-fs.target time-sync.target
PartOf=ceph-mds.target
[Service]
Environment=CLUSTER=ceph
EnvironmentFile=-@SYSTEMD_ENV_FILE@
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/ceph-mds -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
LimitNOFILE=1048576
LimitNPROC=1048576
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/ceph-mds -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecReload=/bin/kill -HUP $MAINPID
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=yes
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
TasksMax=infinity
Restart=on-failure
StartLimitInterval=30min
RestrictSUIDSGID=true
StartLimitBurst=3
StartLimitInterval=30min
TasksMax=infinity
[Install]
WantedBy=ceph-mds.target

36
systemd/ceph-mgr@.service.in
View File

@ -5,30 +5,34 @@ Wants=network-online.target local-fs.target time-sync.target
PartOf=ceph-mgr.target
[Service]
Environment=CLUSTER=ceph
EnvironmentFile=-@SYSTEMD_ENV_FILE@
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/ceph-mgr -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
LimitNOFILE=1048576
LimitNPROC=1048576
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/ceph-mgr -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecReload=/bin/kill -HUP $MAINPID
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=yes
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
Restart=on-failure
RestartSec=10
RestrictSUIDSGID=true
StartLimitBurst=3
StartLimitInterval=30min
# We need to disable this protection as some python libraries generate
# dynamic code, like python-cffi, and require mmap calls to succeed
MemoryDenyWriteExecute=false
NoNewPrivileges=true
PrivateDevices=yes
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
Restart=on-failure
RestartSec=10
StartLimitInterval=30min
StartLimitBurst=3
[Install]
WantedBy=ceph-mgr.target

21
systemd/ceph-mon@.service.in
View File

@ -7,32 +7,35 @@ Description=Ceph cluster monitor daemon
# configuration.
After=network-online.target local-fs.target time-sync.target
Wants=network-online.target local-fs.target time-sync.target
PartOf=ceph-mon.target
[Service]
Environment=CLUSTER=ceph
EnvironmentFile=-@SYSTEMD_ENV_FILE@
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
LimitNOFILE=1048576
LimitNPROC=1048576
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecReload=/bin/kill -HUP $MAINPID
LockPersonality=true
MemoryDenyWriteExecute=true
# Need NewPrivileges via `sudo smartctl`
NoNewPrivileges=false
PrivateDevices=yes
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
TasksMax=infinity
Restart=on-failure
StartLimitInterval=30min
StartLimitBurst=5
RestartSec=10
RestrictSUIDSGID=true
StartLimitBurst=5
StartLimitInterval=30min
TasksMax=infinity
[Install]
WantedBy=ceph-mon.target

20
systemd/ceph-osd@.service.in
View File

@ -5,29 +5,33 @@ Wants=network-online.target local-fs.target time-sync.target
PartOf=ceph-osd.target
[Service]
LimitNOFILE=1048576
LimitNPROC=1048576
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
EnvironmentFile=-@SYSTEMD_ENV_FILE@
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/ceph-osd -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecStartPre=/usr/lib/ceph/ceph-osd-prestart.sh --cluster ${CLUSTER} --id %i
ExecReload=/bin/kill -HUP $MAINPID
LimitNOFILE=1048576
LimitNPROC=1048576
LockPersonality=true
MemoryDenyWriteExecute=true
# Need NewPrivileges via `sudo smartctl`
NoNewPrivileges=false
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
# flushing filestore requires access to /proc/sys/vm/drop_caches
ProtectKernelTunables=false
ProtectSystem=full
PrivateTmp=true
TasksMax=infinity
Restart=on-failure
StartLimitInterval=30min
StartLimitBurst=3
RestartSec=10
RestrictSUIDSGID=true
StartLimitBurst=3
StartLimitInterval=30min
TasksMax=infinity
[Install]
WantedBy=ceph-osd.target

16
systemd/ceph-radosgw@.service.in
View File

@ -5,25 +5,29 @@ Wants=network-online.target local-fs.target time-sync.target
PartOf=ceph-radosgw.target
[Service]
Environment=CLUSTER=ceph
EnvironmentFile=-@SYSTEMD_ENV_FILE@
ExecStart=/usr/bin/radosgw -f --cluster ${CLUSTER} --name client.%i --setuser ceph --setgroup ceph
LimitNOFILE=1048576
LimitNPROC=1048576
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/radosgw -f --cluster ${CLUSTER} --name client.%i --setuser ceph --setgroup ceph
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=yes
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
TasksMax=infinity
Restart=on-failure
StartLimitInterval=30s
RestrictSUIDSGID=true
StartLimitBurst=5
StartLimitInterval=30s
TasksMax=infinity
[Install]
WantedBy=ceph-radosgw.target

16
systemd/ceph-rbd-mirror@.service.in
View File

@ -5,25 +5,29 @@ Wants=network-online.target local-fs.target
PartOf=ceph-rbd-mirror.target
[Service]
Environment=CLUSTER=ceph
EnvironmentFile=-@SYSTEMD_ENV_FILE@
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/bin/rbd-mirror -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
LimitNOFILE=1048576
LimitNPROC=1048576
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/rbd-mirror -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecReload=/bin/kill -HUP $MAINPID
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=yes
PrivateTmp=true
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
Restart=on-failure
StartLimitInterval=30min
RestrictSUIDSGID=true
StartLimitBurst=3
StartLimitInterval=30min
TasksMax=infinity
[Install]