LACT icon indicating copy to clipboard operation
LACT copied to clipboard

Published 20 hours ago verified publisher icon ilya-zlobintsev

Enable systemd service hardening features for the daemon

Open zenofile opened this issue 8 months ago • 2 comments

Since LACT runs the daemon as root, it would be desirable to restrict the processes permissions utilizing systemd's sandboxing capabilities to only permit access to necessary system components.

Currently, I run the daemon with these overrides and didn't experience any problems so far:

[Service]
KeyringMode=private
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=no
DeviceAllow=char-drm
ProtectKernelTunables=no
PrivateTmp=yes
ProtectClock=yes
ProtectControlGroups=yes
# Allow creation of /root/.cache for shader cache inside tmpfs
ProtectHome=tmpfs
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/etc/lact
RemoveIPC=yes
RestrictAddressFamilies=AF_UNIX AF_LOCAL AF_NETLINK
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictSUIDSGID=yes
PrivateNetwork=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
CapabilityBoundingSet=CAP_DAC_OVERRIDE CAP_CHOWN

This results in a systemd-analyze score of 2.3 OK as opposed to 9.6 UNSAFE.

There are however two issues I see with this restrictive configuration:

  1. Accessing a generated debug snapshots is now more complicated due to PrivateTmp=yes; however it can still be accessed by joining the mount namespace:

    sudo nsenter --target $(systemctl show --property=MainPID --value lactd.service) --mount sh -c 'cat /tmp/LACT-sysfs-snapshot-*.tar.gz' > snapshot.tar.gz

    …which is probably not ideal for collecting debug information from users.

  2. Enabling overclocking support won't be possible using the GUI: /etc/modprobe.d/99-amdgpu-overdrive.conf could be added to ReadWritePaths, but regenerating the initrd would not be possible due to child processes inheriting the parent's restrictions. For example dracut would have insufficient permissions for writing to /boot.

Not using PrivateTmp is of course an option, but allowing proper execution of dracut et al. would result in dropping quite a few restrictions.

Maybe there could be an alternative service file bundled that launches the daemon in hardened mode, since I assume you probably do not want to separate the initrd– and debug info generation into a separate binary or cli subcommand for the user to execute.

This is of course just a suggestion, I personally am fine with overriding the settings.

zenofile avatar Jun 18 '24 01:06 zenofile