From 78035bc14ef85fd2a69127271cc201c00d6e9730 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Wed, 5 Dec 2018 09:24:04 -0500 Subject: [PATCH] systemd hardening Improve security by isolating boinc as much as possible. See https://www.freedesktop.org/software/systemd/man/systemd.exec.html for explanations of each option --- client/scripts/boinc-client.service.in | 20 +++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/client/scripts/boinc-client.service.in b/client/scripts/boinc-client.service.in index f1778f1748..25204c5d04 100644 --- a/client/scripts/boinc-client.service.in +++ b/client/scripts/boinc-client.service.in @@ -4,8 +4,12 @@ Documentation=man:boinc(1) After=network-online.target [Service] -ProtectHome=true Type=simple +ProtectHome=true +PrivateTmp=true +ProtectSystem=strict +ProtectControlGroups=true +ReadWritePaths=-/var/lib/boinc -/etc/boinc-client Nice=10 User=boinc WorkingDirectory=/var/lib/boinc @@ -14,6 +18,20 @@ ExecStop=@exec_prefix@/bin/boinccmd --quit ExecReload=@exec_prefix@/bin/boinccmd --read_cc_config ExecStopPost=/bin/rm -f lockfile IOSchedulingClass=idle +# The following options prevent setuid root as they imply NoNewPrivileges=true +# Since Atlas requires setuid root, they break Atlas +# In order to improve security, if you're not using Atlas, +# Add these options to the [Service] section of an override file using +# sudo systemctl edit boinc-client.service +#NoNewPrivileges=true +#ProtectKernelModules=true +#ProtectKernelTunables=true +#RestrictRealtime=true +#RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +#RestrictNamespaces=true +#PrivateUsers=true +#CapabilityBoundingSet= +#MemoryDenyWriteExecute=true [Install] WantedBy=multi-user.target