Apply hardening measures in bitcoind systemd service file #12102

pull Flowdalic wants to merge 1 commits into bitcoin:master from Flowdalic:systemd-hardening changing 1 files +19 −0
  1. Flowdalic commented at 6:09 pm on January 6, 2018: contributor
    Adds typical systemd hardening measurements for network services.
  2. fanquake added the label Scripts and tools on Jan 7, 2018
  3. TheBlueMatt commented at 6:26 pm on January 9, 2018: member
    Concept ACK, seems reasonable.
  4. fanquake commented at 6:37 am on January 22, 2018: member

    Here’s documentation for the 4 new options being added, taken from the freedesktop.org docs.

    ProtectSystem

    Takes a boolean argument or the special values “full” or “strict”. If true, mounts the /usr and /boot directories read-only for processes invoked by this unit. If set to “full”, the /etc directory is mounted read-only, too. If set to “strict” the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev, /proc and /sys (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). This setting ensures that any modification of the vendor-supplied operating system (and optionally its configuration, and local mounts) is prohibited for the service. It is recommended to enable this setting for all long-running services, unless they are involved with system updates or need to modify the operating system in other ways. If this option is used, ReadWritePaths= may be used to exclude specific directories from being made read-only. This setting is implied if DynamicUser= is set. For this setting the same restrictions regarding mount propagation and privileges apply as for ReadOnlyPaths= and related calls, see below. Defaults to off.

    NoNewPrivileges

    Takes a boolean argument. If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). This is the simplest and most effective way to ensure that a process and its children can never elevate privileges again. Defaults to false, but certain settings override this and ignore the value of this setting. This is the case when SystemCallFilter=, SystemCallArchitectures=, RestrictAddressFamilies=, RestrictNamespaces=, PrivateDevices=, ProtectKernelTunables=, ProtectKernelModules=, MemoryDenyWriteExecute=, RestrictRealtime=, or LockPersonality= are specified. Note that even if this setting is overridden by them, systemctl show shows the original value of this setting. Also see No New Privileges Flag.

    PrivateDevices

    Takes a boolean argument. If true, sets up a new /dev mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. This is useful to securely turn off physical device access by the executed process. Defaults to false. Enabling this option will install a system call filter to block low-level I/O system calls that are grouped in the @raw-io set, will also remove CAP_MKNOD and CAP_SYS_RAWIO from the capability bounding set for the unit (see above), and set DevicePolicy=closed (see systemd.resource-control(5) for details). Note that using this setting will disconnect propagation of mounts from the service to the host (propagation in the opposite direction continues to work). This means that this setting may not be used for services which shall be able to install mount points in the main mount namespace. The new /dev will be mounted read-only and ’noexec’. The latter may break old programs which try to set up executable memory by using mmap(2) of /dev/zero instead of using MAP_ANON. For this setting the same restrictions regarding mount propagation and privileges apply as for ReadOnlyPaths= and related calls, see above. If turned on and if running in user mode, or in system mode, but without the CAP_SYS_ADMIN capability (e.g. setting User=), NoNewPrivileges=yes is implied.

    Note that the implementation of this setting might be impossible (for example if mount namespaces are not available), and the unit should be written in a way that does not solely rely on this setting for security.

    MemoryDenyWriteExecute

    Takes a boolean argument. If set, attempts to create memory mappings that are writable and executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory segments as executable are prohibited. Specifically, a system call filter is added that rejects mmap(2) system calls with both PROT_EXEC and PROT_WRITE set, mprotect(2) or pkey_mprotect(2) system calls with PROT_EXEC set and shmat(2) system calls with SHM_EXEC set. Note that this option is incompatible with programs and libraries that generate program code dynamically at runtime, including JIT execution engines, executable stacks, and code “trampoline” feature of various C compilers. This option improves service security, as it makes harder for software exploits to change running code dynamically. Note that this feature is fully available on x86-64, and partially on x86. Specifically, the shmat() protection is not available on x86. Note that on systems supporting multiple ABIs (such as x86/x86-64) it is recommended to turn off alternative ABIs for services, so that they cannot be used to circumvent the restrictions of this option. Specifically, it is recommended to combine this option with SystemCallArchitectures=native or similar. If running in user mode, or in system mode, but without the CAP_SYS_ADMIN capability (e.g. setting User=), NoNewPrivileges=yes is implied.

  5. dongcarl commented at 2:58 am on February 5, 2018: member
    Hi all, I’m working on #12255 which also changes the systemd service file and sets up the pidfile, datadir, and conffile with the right permissions and at the right places. @laanwj told me to coordinate my changes with people here. From what I see things should be compatible except I make the assumption that the service is running as bitcoin:bitcoin, which I think we should be according to init.md right?
  6. practicalswift commented at 4:29 pm on February 8, 2018: contributor
    Concept ACK. Hardening is good!
  7. laanwj renamed this:
    Apply hardening measurements in bitcoind systemd service file
    Apply hardening measures in bitcoind systemd service file
    on Feb 8, 2018
  8. in contrib/init/bitcoind.service:23 in 8531bdb44c outdated
    18@@ -19,7 +19,26 @@ User=bitcoin
    19 Type=forking
    20 PIDFile=/run/bitcoind/bitcoind.pid
    21 Restart=on-failure
    22+
    23+# Hardening measurements
    


    laanwj commented at 6:30 pm on February 8, 2018:
    Nit: Hardening measures, not measurements :)

    Flowdalic commented at 8:37 am on February 9, 2018:
    Thanks for pointing this out. Fixed with 8748949.
  9. laanwj assigned laanwj on Feb 8, 2018
  10. laanwj commented at 4:22 pm on March 13, 2018: member
    ACK after squash
  11. cdecker commented at 8:47 pm on March 13, 2018: contributor
    ACK :+1:
  12. Flowdalic force-pushed on Mar 14, 2018
  13. Flowdalic commented at 6:27 am on March 14, 2018: contributor
    Rebased and squashed.
  14. Flowdalic force-pushed on Mar 14, 2018
  15. fanquake commented at 6:36 am on March 14, 2018: member
    utACK 2e86249
  16. in contrib/init/bitcoind.service:36 in 2e86249c23 outdated
    31+
    32+# Disallow the process and all of its children to gain
    33+# new privileges through execve()
    34+NoNewPrivileges=true
    35+
    36+# Use a new /dev namespace only populated with API pseudeo devices
    


    practicalswift commented at 6:42 am on March 14, 2018:
    Typo: “pseudo” :-)
  17. in contrib/init/bitcoind.service:37 in 2e86249c23 outdated
    32+# Disallow the process and all of its children to gain
    33+# new privileges through execve()
    34+NoNewPrivileges=true
    35+
    36+# Use a new /dev namespace only populated with API pseudeo devices
    37+# such as /dev/null, /dev/zero or /dev/random
    


    practicalswift commented at 6:43 am on March 14, 2018:
    Nit: “or” should be “and”?
  18. in contrib/init/bitcoind.service:40 in 2e86249c23 outdated
    35+
    36+# Use a new /dev namespace only populated with API pseudeo devices
    37+# such as /dev/null, /dev/zero or /dev/random
    38+PrivateDevices=true
    39+
    40+# Deny the creation of writeable and executably memory mappings
    


    practicalswift commented at 6:44 am on March 14, 2018:
    Typo: “writable” and “executable” :-)
  19. in contrib/init/bitcoind.service:29 in 2e86249c23 outdated
    24+####################
    25+
    26+# Provide a private /tmp and /var/tmp
    27 PrivateTmp=true
    28 
    29+# Mount /usr, /boot/ and /etc read-only for the process.
    


    practicalswift commented at 6:45 am on March 14, 2018:
    Nit: Remove trailing “.” to get consistency with the remaining comments.
  20. practicalswift commented at 6:46 am on March 14, 2018: contributor
    utACK modulo fixed review feedback above
  21. Apply hardening measurements in bitcoind systemd service file
    Adds typical systemd hardening measurements for network services.
    79ddfad486
  22. Flowdalic force-pushed on Mar 14, 2018
  23. Flowdalic commented at 7:12 am on March 14, 2018: contributor
    Incorporated @practicalswift’s feedback and squashed. Thanks for the feedback. :)
  24. fanquake commented at 1:45 pm on March 14, 2018: member
    re-utACK 79ddfad
  25. laanwj merged this on Mar 14, 2018
  26. laanwj closed this on Mar 14, 2018

  27. laanwj referenced this in commit 7fb8fb43a6 on Mar 14, 2018
  28. Flowdalic deleted the branch on Oct 4, 2018
  29. PastaPastaPasta referenced this in commit ee67541ac3 on Jun 10, 2020
  30. PastaPastaPasta referenced this in commit 0d06fe29bc on Jun 13, 2020
  31. PastaPastaPasta referenced this in commit cfaa185136 on Jun 13, 2020
  32. PastaPastaPasta referenced this in commit 337105e00f on Jun 13, 2020
  33. PastaPastaPasta referenced this in commit 3945c4464a on Jun 17, 2020
  34. MarcoFalke locked this on Sep 8, 2021

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-12-19 03:12 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me