[systemd-devel] systemd-journald.service not using ProtectSystem=strict?

Topi Miettinen toiwoton at gmail.com
Fri Jan 11 10:48:16 UTC 2019 

Hello,

I have no problems using this with Debian testing:

# /etc/systemd/system/systemd-journald.service.d/override.conf
[Service]
CapabilityBoundingSet=~CAP_MAC_OVERRIDE CAP_SYS_PTRACE
InaccessiblePaths=-/dev/pts -/dev/shm -/dev/mqueue -/dev/hugepages 
-/setuid -/boot -/tmp -/var/tmp -/bin -/sbin -/usr/bin -/run/lock 
-/lost+found -/media -/mnt -/opt -/srv -/proc/bus
Personality=x86-64
PrivateNetwork=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=strict
ReadOnlyPaths=-/
ReadWritePaths=-/var -/run
SystemCallFilter=~@resources
UMask=0077

It could be obvious, but when testing journald configuration, if 
journald is started from initramfs, the config file should be also 
present there.

-Topi

On 10.1.2019 20.06, Reindl Harald wrote:
> looking at the current security issues and  how it triggers the
> troll-army i wonder why systemd-journald.service  is not restricted from
> at least write to /usr and /root at least on Fedora 28 (that it's not
> vulernable because of compiler hardening is just luck)
> 
> [root at testserver:~]$ cat
> /etc/systemd/system/systemd-journald.service.d/security.conf
> [Service]
> ProtectSystem=strict
> ProtectHome=yes
> ReadWritePaths=/run
> ReadWritePaths=/var
> 
> [root at testserver:~]$ systemctl status systemd-journald.service
> ● systemd-journald.service - Journal Service
>     Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service;
> static; vendor preset: disabled)
>    Drop-In: /etc/systemd/system/systemd-journald.service.d
>             └─security.conf
>     Active: active (running) since Thu 2019-01-10 19:00:30 CET; 42s ago
>       Docs: man:systemd-journald.service(8)
>             man:journald.conf(5)
>   Main PID: 398 (systemd-journal)
>     Status: "Processing requests..."
>      Tasks: 1 (limit: 512)
>     Memory: 4.7M
>     CGroup: /system.slice/systemd-journald.service
>             └─398 /usr/lib/systemd/systemd-journald
> 
> Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Journal started
> Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Runtime
> journal (/run/log/journal/b3591cfc6c4e65ea231a7d08489dc40f) is 2.5M, max
> 10.0M, 7.5M free.
> Jan 10 19:00:30 testserver.rhsoft.net systemd-journald[398]: Runtime
> journal (/run/log/journal/b3591cfc6c4e65ea231a7d08489dc40f) is 2.5M, max
> 10.0M, 7.5M free.
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/systemd-devel
>

More information about the systemd-devel mailing list