Skip to content

Commit

Permalink
systemd: lock down privileges more
Browse files Browse the repository at this point in the history 
Signed-off-by: Patrick Donnelly <[email protected]>
  • Loading branch information
@batrick
batrick committed Feb 7, 2019
1 parent 54fd6dc commit 5176709
Show file tree
Hide file tree
Showing 7 changed files with 51 additions and 1 deletion.
8 changes: 8 additions & 0 deletions systemd/[email protected]
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,14 @@ PartOf=ceph-fuse.target
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/ceph-fuse -f --cluster ${CLUSTER} %I
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
# ceph-fuse requires access to /dev fuse device
PrivateDevices=no
ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
TasksMax=infinity
Restart=on-failure
StartLimitInterval=30min
Expand Down
6 changes: 6 additions & 0 deletions systemd/[email protected]
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,14 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/ceph-mds -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecReload=/bin/kill -HUP $MAINPID
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=yes
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
TasksMax=infinity
Expand Down
11 changes: 10 additions & 1 deletion systemd/[email protected]
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,18 @@ LimitNOFILE=1048576
LimitNPROC=1048576
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph

ExecStart=/usr/bin/ceph-mgr -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecReload=/bin/kill -HUP $MAINPID
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=yes
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
Restart=on-failure
RestartSec=10
StartLimitInterval=30min
Expand Down
7 changes: 7 additions & 0 deletions systemd/[email protected]
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,15 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/ceph-mon -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecReload=/bin/kill -HUP $MAINPID
LockPersonality=true
MemoryDenyWriteExecute=true
# Need NewPrivileges via `sudo smartctl`
NoNewPrivileges=false
PrivateDevices=yes
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
TasksMax=infinity
Expand Down
8 changes: 8 additions & 0 deletions systemd/[email protected]
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,15 @@ Environment=CLUSTER=ceph
ExecStart=/usr/bin/ceph-osd -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecStartPre=/usr/lib/ceph/ceph-osd-prestart.sh --cluster ${CLUSTER} --id %i
ExecReload=/bin/kill -HUP $MAINPID
LockPersonality=true
MemoryDenyWriteExecute=true
# Need NewPrivileges via `sudo smartctl`
NoNewPrivileges=false
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
# flushing filestore requires access to /proc/sys/vm/drop_caches
ProtectKernelTunables=false
ProtectSystem=full
PrivateTmp=true
TasksMax=infinity
Expand Down
6 changes: 6 additions & 0 deletions systemd/[email protected]
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,8 +10,14 @@ LimitNPROC=1048576
EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/radosgw -f --cluster ${CLUSTER} --name client.%i --setuser ceph --setgroup ceph
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=yes
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
TasksMax=infinity
Expand Down
6 changes: 6 additions & 0 deletions systemd/[email protected]
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,14 @@ EnvironmentFile=-@SYSTEMD_ENV_FILE@
Environment=CLUSTER=ceph
ExecStart=/usr/bin/rbd-mirror -f --cluster ${CLUSTER} --id %i --setuser ceph --setgroup ceph
ExecReload=/bin/kill -HUP $MAINPID
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=yes
ProtectControlGroups=true
ProtectHome=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=full
PrivateTmp=true
Restart=on-failure
Expand Down

0 comments on commit 5176709

Please sign in to comment.