Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
hardened and made more reliable monitor.service file:
since the service depends on bluetooth daemon, start after it ( After= ) since the daemon fails to work properly without bluetooth, don't start it if blueetooth fails ( Requires= ) shut down the service when bluetooth fails ( BindsTo= ) since the daemon isn't necessary for networking, don't install it network target set restart mode on-failure so that if the user accidentally sets a one-shot setting manually in the service, it doesn't keep re-launching it don't fork the process in the background so that systemd can track the pids of all the programs spawned and kill them if they hang to ensure a proper shutdown split re-writable file with environment to a separate optional file $service_config_path which equals to "/etc/default/monitor", the daemon file shouldn't re-write it's own service file for both security and bug prevention since the daemon runs with ultimate priviledges and it's networked, removing the unnecessary ones can prevent system disruption in the case of a bug or a flyby scripted attack: LockPersonality ensures kenel personality(2) is enforced NoNewPrivileges fixes process privileges as the one set in the srvice PrivateMounts makes any mount point created by the service private to the service itself ProtectClock prevents the system clock to be altered by the service ProtectControlGroups prevents the system to access the kernel control groups ( and override the security settings ) ProteectKernelLogs prevents the access to the kernel logs ProtectKernelModules prevents load/unload kernel modules; bluetooth modules will be loadeed as necessary anyway from the bluetooth.service ProtectKernelTunables denies accceess to the kernel runtime config ProtectHostname prevents hostname changes from the service ProtectHome prevents writing files to the home dir of the user ProtectProc=invisible makes the service be able to see only its own process tree and no further ProtectSystem=strict makes the whole filesystem read-only except for the paths specified in ReadWritePaths RestrictNamespaces denies altering the process namespace, useful to prevent bypassing protections RestrictAddressFamilies limits the types of sockets that can be read/written by the procss RestrictSUIDSGID prevents setting SUID and GID bits on files RestrictRealtime prevents acquiring realtime scheduling priority SystemCallArchitectures ensures that only native binaries are used ( eg only 64 bit in a mixed 32-64 bit environment; 32 bit ISA is often full of security pitholes ) SystemCallFilter=~@mount denies access to the mount functionality to prevent bypassing most of the security settings ReadWritePaths=/sys/class/bluetooth allows raw access to the bluetoot devices ReadWritePaths=$base_directory allows the service to overwrite itself / its config ( dangerous, but fixing it is not in the scope of this patch ) ReadWritePaths=$service_config_path allows the sevice to overwrite the execution args of the daemon daemon-reload is not necessary to reload the environment file, so it's only executed for service installation all the features used are documented in systemd.exec(5) systemd.unit(5) systemd.service(5)
- Loading branch information