templates/systemd/mastodon: update sandbox mode (#16235)

* templates/systemd/mastodon: add new sandboxing options

* templates/systemd/mastodon: add '@privileged' and remove duplicates SystemCallFilters

* templates/systemd/mastodon: add '@ipc' SystemCallFilter

* templates/systemd/mastodon: add '@memlock' SystemCallFilter

* templates/systemd/mastodon: allow '@resources' filter to mastodon-web service

diff --git a/dist/mastodon-sidekiq.service b/dist/mastodon-sidekiq.service
index 35b121cd77ea6c83b8f146d0fab61b8427574d9d..7d2d72e998b1a43523ffa8dc7ea9f874f9077c8a 100644 (file)
--- a/dist/mastodon-sidekiq.service
+++ b/dist/mastodon-sidekiq.service
@@ -13,6 +13,9 @@ Environment="LD_PRELOAD=libjemalloc.so"
 ExecStart=/home/mastodon/.rbenv/shims/bundle exec sidekiq -c 25
 TimeoutSec=15
 Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
 # Capabilities
 CapabilityBoundingSet=
 # Security
@@ -35,11 +38,15 @@ RestrictNamespaces=true
 LockPersonality=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
+RemoveIPC=true
 PrivateMounts=true
 ProtectClock=true
 # System Call Filtering
 SystemCallArchitectures=native
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap
+SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
+SystemCallFilter=@chown
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
 
 [Install]
 WantedBy=multi-user.target

diff --git a/dist/mastodon-streaming.service b/dist/mastodon-streaming.service
index 0befc529aa1d96a21a5360bace63fd97aa397edf..6d71298a56de0e05ee051535ad43d0e6c1bd8e0a 100644 (file)
--- a/dist/mastodon-streaming.service
+++ b/dist/mastodon-streaming.service
@@ -12,6 +12,9 @@ Environment="STREAMING_CLUSTER_NUM=1"
 ExecStart=/usr/bin/node ./streaming
 TimeoutSec=15
 Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
 # Capabilities
 CapabilityBoundingSet=
 # Security
@@ -34,11 +37,14 @@ RestrictNamespaces=true
 LockPersonality=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
+RemoveIPC=true
 PrivateMounts=true
 ProtectClock=true
 # System Call Filtering
 SystemCallArchitectures=native
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @privileged @raw-io @reboot @resources @setuid @swap
+SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @memlock @mount @obsolete @privileged @resources @setuid
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
 
 [Install]
 WantedBy=multi-user.target

diff --git a/dist/mastodon-web.service b/dist/mastodon-web.service
index f41efd2b095d238bae688b04c0e38a3ca619ed8c..16d1d5653c0e986fb10b9c14d7a04c7e8f2a4270 100644 (file)
--- a/dist/mastodon-web.service
+++ b/dist/mastodon-web.service
@@ -13,6 +13,9 @@ ExecStart=/home/mastodon/.rbenv/shims/bundle exec puma -C config/puma.rb
 ExecReload=/bin/kill -SIGUSR1 $MAINPID
 TimeoutSec=15
 Restart=always
+# Proc filesystem
+ProcSubset=pid
+ProtectProc=invisible
 # Capabilities
 CapabilityBoundingSet=
 # Security
@@ -35,11 +38,15 @@ RestrictNamespaces=true
 LockPersonality=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
+RemoveIPC=true
 PrivateMounts=true
 ProtectClock=true
 # System Call Filtering
 SystemCallArchitectures=native
-SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @resources @setuid @swap
+SystemCallFilter=~@cpu-emulation @debug @keyring @ipc @mount @obsolete @privileged @setuid
+SystemCallFilter=@chown
+SystemCallFilter=pipe
+SystemCallFilter=pipe2
 
 [Install]
 WantedBy=multi-user.target