mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-01-27 10:54:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

core:sandbox: add more /proc/* entries to ProtectKernelTunables=

Browse Source 
Make ALSA entries, latency interface, mtrr, apm/acpi, suspend interface,
filesystems configuration and IRQ tuning readonly.

Most of these interfaces now days should be in /sys but they are still
available through /proc, so just protect them. This patch does not touch
/proc/net/...
This commit is contained in:
Djalal Harouni 2016-09-25 11:30:11 +02:00
parent 9221aec8d0
commit 49accde7bd
2 changed files with 15 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
man/systemd.exec.xml
View File

@ -1026,8 +1026,10 @@
<term><varname>ProtectKernelTunables=</varname></term> <term><varname>ProtectKernelTunables=</varname></term>
<listitem><para>Takes a boolean argument. If true, kernel variables accessible through <listitem><para>Takes a boolean argument. If true, kernel variables accessible through
<filename>/proc/sys</filename>, <filename>/sys</filename> and <filename>/proc/sysrq-trigger</filename> will be <filename>/proc/sys</filename>, <filename>/sys</filename>, <filename>/proc/sysrq-trigger</filename>,
made read-only to all processes of the unit. Usually, tunable kernel variables should only be written at <filename>/proc/latency_stats</filename>, <filename>/proc/acpi</filename>,
<filename>/proc/timer_stats</filename>, <filename>/proc/fs</filename> and <filename>/proc/irq</filename> will
be made read-only to all processes of the unit. Usually, tunable kernel variables should only be written at
boot-time, with the <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> boot-time, with the <citerefentry><refentrytitle>sysctl.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
mechanism. Almost no services need to write to these at runtime; it is hence recommended to turn this on for mechanism. Almost no services need to write to these at runtime; it is hence recommended to turn this on for
most services. For this setting the same restrictions regarding mount propagation and privileges apply as for most services. For this setting the same restrictions regarding mount propagation and privileges apply as for

11
src/core/namespace.c
View File

@ -74,7 +74,18 @@ typedef struct TargetMount {
static const TargetMount protect_kernel_tunables_table[] = { static const TargetMount protect_kernel_tunables_table[] = {
{ "/proc/sys", READONLY, false }, { "/proc/sys", READONLY, false },
{ "/proc/sysrq-trigger", READONLY, true }, { "/proc/sysrq-trigger", READONLY, true },
{ "/proc/latency_stats", READONLY, true },
{ "/proc/mtrr", READONLY, true },
{ "/proc/apm", READONLY, true },
{ "/proc/acpi", READONLY, true },
{ "/proc/timer_stats", READONLY, true },
{ "/proc/asound", READONLY, true },
{ "/proc/bus", READONLY, true },
{ "/proc/fs", READONLY, true },
{ "/proc/irq", READONLY, true },
{ "/sys", READONLY, false }, { "/sys", READONLY, false },
{ "/sys/kernel/debug", READONLY, true },
{ "/sys/kernel/tracing", READONLY, true },
{ "/sys/fs/cgroup", READWRITE, false }, /* READONLY is set by ProtectControlGroups= option */ { "/sys/fs/cgroup", READWRITE, false }, /* READONLY is set by ProtectControlGroups= option */
}; };