With this patch the systemd service will now run in a hardened sandbox
that limits the kinds of subsystems available to the unit. This improves
the overall security of the system, as nextcloud-spreed-signaling
becomes almost pointless to exploit.
The most notable changes include:
- The entire fie system is mounted read-only with ProtectSystem=strict
- No binaries are executable, apart from /usr/bin/signaling, with
NoExecPaths=/ and ExecPaths=/usr/bin/signaling
- The service cannot see any user on the system apart from the one that
is running the process, with PrivateUsers=yes
- Most of the /proc subsystem is inaccessible, and things like system
stats may be unavailabe, with ProcSubset=pid
- All home directories are inaccessible, with ProtectHome=yes
- The kinds of permitted system calls are limited, via SystemCallFilter=
I highly recommend you to read the systemd.exec(5) manual page to fully
understand what these options do and how they can protect the system.
https://www.freedesktop.org/software/systemd/man/systemd.exec.html
The systemd unit makes use of the user "signaling", but it is not
created in any way, so the directive is ignored.
By creating a sysusers file it is possible to tell the system to create
a "signaling" user so that the directive is honoured.
For more information, see the sysusers.d manpage, at
https://www.freedesktop.org/software/systemd/man/sysusers.d.html
This is mainly useful on systems running systemd, but the sysusers
concept is implemented also by other projects that don't use systemd,
like opensysusers, originated from Artix Linux.
