security: restrict abis in bitcoind.service #28340

pull CharlieC3 wants to merge 1 commits into bitcoin:master from CharlieC3:restrict-abis changing 1 files +3 −0
  1. CharlieC3 commented at 9:15 PM on August 24, 2023: contributor

    As noted here, it's a good idea to pair MemoryDenyWriteExecute=true with SystemCallArchitectures=native because MemoryDenyWriteExecute can be circumvented in some operating systems which support multiple ABIs like x86/x86-64. This helps restrict the possible application binary interfaces (ABIs) that can be used when running bitcoind through systemd, reducing the attack surface area.

  2. security: restrict abis in bitcoind.service
    It's recommended to restrict the possible application binary interfaces that can be used when setting `MemoryDenyWriteExecute=true` to ensure it cannot be circumvented.
    0244416aac
  3. DrahtBot commented at 9:15 PM on August 24, 2023: contributor

    <!--e57a25ab6845829454e8d69fc972939a-->

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    <!--006a51241073e994b41acfe9ec718e94-->

    Code Coverage

    For detailed information about the code coverage, see the test coverage report.

    <!--021abf342d371248e50ceaed478a90ca-->

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    ACK laanwj, 0xB10C
    Concept ACK Sjors

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

  4. DrahtBot added the label CI failed on Aug 25, 2023
  5. DrahtBot removed the label CI failed on Aug 25, 2023
  6. Sjors commented at 12:57 PM on August 25, 2023: member

    Probably Concept ACK, because nix-bitcoin does this too: https://github.com/fort-nix/nix-bitcoin/blob/master/pkgs/lib.nix

    Might as well consider all the extra stuff they added there.

  7. DrahtBot added the label CI failed on Sep 3, 2023
  8. DrahtBot removed the label CI failed on Sep 5, 2023
  9. DrahtBot added the label CI failed on Sep 19, 2023
  10. DrahtBot removed the label CI failed on Sep 21, 2023
  11. DrahtBot added the label CI failed on Jan 12, 2024
  12. achow101 requested review from laanwj on Apr 9, 2024
  13. achow101 requested review from 0xB10C on Apr 9, 2024
  14. laanwj commented at 2:45 PM on April 9, 2024: member

    ACK 0244416aacbad03e4ebe8f2c95c7861a318916ea . This is a sensible security feature. It looks like the documentation of systemd.exec even mentions this pairing.

    I do agree with @sjors, however, that when we're adding systemd hardening options, we might as well look further.

  15. DrahtBot requested review from Sjors on Apr 9, 2024
  16. 0xB10C commented at 3:17 PM on April 10, 2024: contributor

    ACK 0244416aacbad03e4ebe8f2c95c7861a318916ea

  17. ryanofsky merged this on Apr 17, 2024
  18. ryanofsky closed this on Apr 17, 2024
  19. PastaPastaPasta referenced this in commit 2fdb90b112 on Oct 25, 2024
  20. PastaPastaPasta referenced this in commit c4a147cfea on Oct 26, 2024
  21. PastaPastaPasta referenced this in commit f211bb9289 on Oct 27, 2024
  22. bitcoin locked this on Apr 17, 2025
Contributors
CharlieC3DrahtBotSjorslaanwj0xB10C


Sjorslaanwj0xB10C

Labels
CI failed
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-28 00:13 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me