Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

templates/systemd/mastodon: update sandbox mode #16235

Merged
merged 5 commits into from
Oct 25, 2021
Merged

templates/systemd/mastodon: update sandbox mode #16235

merged 5 commits into from
Oct 25, 2021

Conversation

Izorkin
Copy link
Contributor

@Izorkin Izorkin commented May 14, 2021
edited
Loading

Added ProcSubset, ProtectProc and RemoveIPC options.
Remoded duplicates filters. Filter @privileged includes the following filters - @chown, @clock, @module, @raw-io, @reboot, @swap.

systemd-analyze syscall-filter
...
@privileged
    # All system calls which need super-user capabilities
    @chown
    @clock
    @module
    @raw-io
    @reboot
    @swap
    _sysctl
    acct
    bpf
...

To ruby process allow only @chown system calls instead @privileged
To service mastodon-streaming deny @memlock system calls.

@Gargron
Copy link
Member

Gargron commented May 24, 2021

WARNING: Now files and directories are created with the rights 0640 and 0750

This is a breaking change. I am not sure it's worth it.

@Izorkin
Copy link
Contributor Author

Izorkin commented May 24, 2021

WARNING: Now files and directories are created with the rights 0640 and 0750

This is a breaking change. I am not sure it's worth it.

Ok, removed this changes:

diff --git a/dist/mastodon-sidekiq.service b/dist/mastodon-sidekiq.service
index fc652b4e8..3ba13d03d 100644
--- a/dist/mastodon-sidekiq.service
+++ b/dist/mastodon-sidekiq.service
@@ -15,8 +15,6 @@ Restart=always
 # Proc filesystem
 ProcSubset=pid
 ProtectProc=invisible
-# Access write directories
-UMask=0027
 # Capabilities
 CapabilityBoundingSet=
 # Security
diff --git a/dist/mastodon-streaming.service b/dist/mastodon-streaming.service
index 36f9f8e75..861a7fe45 100644
--- a/dist/mastodon-streaming.service
+++ b/dist/mastodon-streaming.service
@@ -15,8 +15,6 @@ Restart=always
 # Proc filesystem
 ProcSubset=pid
 ProtectProc=invisible
-# Access write directories
-UMask=0027
 # Capabilities
 CapabilityBoundingSet=
 # Security
diff --git a/dist/mastodon-web.service b/dist/mastodon-web.service
index 465ac70fb..d083b8092 100644
--- a/dist/mastodon-web.service
+++ b/dist/mastodon-web.service
@@ -15,8 +15,6 @@ Restart=always
 # Proc filesystem
 ProcSubset=pid
 ProtectProc=invisible
-# Access write directories
-UMask=0027
 # Capabilities
 CapabilityBoundingSet=
 # Security

@ClearlyClaire
Copy link
Contributor

I am not sure about the implications of RemoveIPC here. Otherwise, it appears to work and allowing @resources actually fixes a bug with uploading media via /api/v1/media.

Generally, though, I'm not sure how much it's worth tightening the sandboxing settings, as it may cause hard-to-debug issues if we end up making more system calls or our dependencies change and make different system calls. Furthermore it may lead to hard-to-debug issues like #16378

@Izorkin
Copy link
Contributor Author

Izorkin commented Jun 10, 2021

Maybe there is an possibility to write tests that check the main functions in work?

@weex
Copy link
Contributor

weex commented Aug 4, 2021

Is there an issue that this references or addresses? Not being familiar with service flags, it would be nice to understand the problem(s) this solves.

@Izorkin
Copy link
Contributor Author

Izorkin commented Aug 4, 2021

Is there an issue that this references or addresses? Not being familiar with service flags, it would be nice to understand the problem(s) this solves.

Added ProcSubset, ProtectProc and RemoveIPC options.
Remoded duplicates filters. Filter @privileged includes the following filters - @chown, @clock, @module, @raw-io, @reboot, @swap.
To ruby process allow only @chown system calls instead @privileged
To service mastodon-streaming deny @memlock system calls.

ClearlyClaire
ClearlyClaire approved these changes Oct 25, 2021
View reviewed changes
Copy link
Contributor

@ClearlyClaire ClearlyClaire left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have been running with those settings for a few months now without noticing any issue.

There is also a bugfix in there, with mastodon-web being allowed the @resources syscall group again, which sometimes prevented POST /api/v1/media from working correctly.

@Gargron Gargron merged commit a9ff5c8 into mastodon:main Oct 25, 2021
@Izorkin Izorkin deleted the mastodon-update-sandboxing branch October 26, 2021 07:24
@Izorkin Izorkin mentioned this pull request Nov 6, 2021
Merged
10 tasks
jesseplusplus pushed a commit to jesseplusplus/decodon that referenced this pull request Feb 10, 2022
@Izorkin @jesseplusplus
templates/systemd/mastodon: update sandbox mode (mastodon#16235)
fd965c9 
* templates/systemd/mastodon: add new sandboxing options

* templates/systemd/mastodon: add '@PRIVILEGED' and remove duplicates SystemCallFilters

* templates/systemd/mastodon: add '@ipc' SystemCallFilter

* templates/systemd/mastodon: add '@memlock' SystemCallFilter

* templates/systemd/mastodon: allow '@resources' filter to mastodon-web service
@ahox ahox mentioned this pull request Nov 25, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ClearlyClaire ClearlyClaire ClearlyClaire approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Izorkin @Gargron @ClearlyClaire @weex