nvmf-connect: systemd hardening effort

Apply the recommended hardening settings as recommended by openSUSE
and Fedor project. A few of the hardening option have to turned of
because nvme-cli needs write access to sysfs and /dev/nvme devices.

Links: https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
Links: https://fedoraproject.org/wiki/Changes/SystemdSecurityHardening
Signed-off-by: Daniel Wagner <dwagner@suse.de>

diff --git a/nvmf-autoconnect/systemd/nvmefc-boot-connections.service.in b/nvmf-autoconnect/systemd/nvmefc-boot-connections.service.in
index 7036625c778863488274208dd001aa2ff94d5226..783feb0677194ff280cb7f0eda0d66e77a9ff414 100644 (file)
--- a/nvmf-autoconnect/systemd/nvmefc-boot-connections.service.in
+++ b/nvmf-autoconnect/systemd/nvmefc-boot-connections.service.in
@@ -6,6 +6,18 @@ After=systemd-udevd.service
 Before=local-fs-pre.target
 
 [Service]
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectProc=invisible
+RestrictRealtime=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RemoveIPC=yes
+RestrictAddressFamilies=none
 Type=oneshot
 ExecStart=/bin/sh -c "echo add > /sys/class/fc/fc_udev_device/nvme_discovery"
 

diff --git a/nvmf-autoconnect/systemd/nvmf-autoconnect.service.in b/nvmf-autoconnect/systemd/nvmf-autoconnect.service.in
index 92960cde6144fcc98d23ee8a491a86abc179480d..1ac1588466a76500e79a83d860882c24f7297275 100644 (file)
--- a/nvmf-autoconnect/systemd/nvmf-autoconnect.service.in
+++ b/nvmf-autoconnect/systemd/nvmf-autoconnect.service.in
@@ -8,6 +8,18 @@ After=network-online.target
 Before=remote-fs-pre.target
 
 [Service]
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectProc=invisible
+RestrictRealtime=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
 Type=oneshot
 ExecStart=@SBINDIR@/nvme connect-all --context=autoconnect
 

diff --git a/nvmf-autoconnect/systemd/nvmf-connect-nbft.service.in b/nvmf-autoconnect/systemd/nvmf-connect-nbft.service.in
index 820e6ced2cffff1a4d70fb3cad17a6da2348bfea..e3934fe7045f7e0041b7a29e27add621b05cc2c6 100644 (file)
--- a/nvmf-autoconnect/systemd/nvmf-connect-nbft.service.in
+++ b/nvmf-autoconnect/systemd/nvmf-connect-nbft.service.in
@@ -10,5 +10,17 @@ After=network-online.target
 Before=remote-fs-pre.target
 
 [Service]
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectProc=invisible
+RestrictRealtime=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
 Type=oneshot
 ExecStart=@SBINDIR@/nvme connect-all --nbft

diff --git a/nvmf-autoconnect/systemd/nvmf-connect@.service.in b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
index 5ba70863e6bfe6d5a63cfb673485f3a2773cedeb..3cec3476f1c988a145815d37ba136878792b5f48 100644 (file)
--- a/nvmf-autoconnect/systemd/nvmf-connect@.service.in
+++ b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
@@ -11,6 +11,18 @@ PartOf=nvmf-connect.target
 Requires=nvmf-connect.target
 
 [Service]
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+ProtectProc=invisible
+RestrictRealtime=true
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
 Type=simple
 Environment="CONNECT_ARGS=%i"
 ExecStart=/bin/sh -c "@SBINDIR@/nvme connect-all --context=autoconnect --quiet `/bin/echo -e '${CONNECT_ARGS}'`"