nextcloud-spreed-signaling

deblan-mirror/nextcloud-spreed-signaling

mirror of https://github.com/strukturag/nextcloud-spreed-signaling synced 2024-05-05 07:13:09 +02:00

History

Andrea Pappacoda 15a9bea122 dist: harden systemd service unit With this patch the systemd service will now run in a hardened sandbox that limits the kinds of subsystems available to the unit. This improves the overall security of the system, as nextcloud-spreed-signaling becomes almost pointless to exploit. The most notable changes include: - The entire fie system is mounted read-only with ProtectSystem=strict - No binaries are executable, apart from /usr/bin/signaling, with NoExecPaths=/ and ExecPaths=/usr/bin/signaling - The service cannot see any user on the system apart from the one that is running the process, with PrivateUsers=yes - Most of the /proc subsystem is inaccessible, and things like system stats may be unavailabe, with ProcSubset=pid - All home directories are inaccessible, with ProtectHome=yes - The kinds of permitted system calls are limited, via SystemCallFilter= I highly recommend you to read the systemd.exec(5) manual page to fully understand what these options do and how they can protect the system. https://www.freedesktop.org/software/systemd/man/systemd.exec.html	2022-06-15 00:00:20 +02:00
..
signaling.service	dist: harden systemd service unit	2022-06-15 00:00:20 +02:00

Andrea Pappacoda 15a9bea122

With this patch the systemd service will now run in a hardened sandbox
that limits the kinds of subsystems available to the unit. This improves
the overall security of the system, as nextcloud-spreed-signaling
becomes almost pointless to exploit.

The most notable changes include:

- The entire fie system is mounted read-only with ProtectSystem=strict
- No binaries are executable, apart from /usr/bin/signaling, with
  NoExecPaths=/ and ExecPaths=/usr/bin/signaling
- The service cannot see any user on the system apart from the one that
  is running the process, with PrivateUsers=yes
- Most of the /proc subsystem is inaccessible, and things like system
  stats may be unavailabe, with ProcSubset=pid
- All home directories are inaccessible, with ProtectHome=yes
- The kinds of permitted system calls are limited, via SystemCallFilter=

I highly recommend you to read the systemd.exec(5) manual page to fully
understand what these options do and how they can protect the system.
https://www.freedesktop.org/software/systemd/man/systemd.exec.html

2022-06-15 00:00:20 +02:00

signaling.service

dist: harden systemd service unit

2022-06-15 00:00:20 +02:00