Преглед изворни кода

Improve systemd security settings (#352).

Dan Helfman пре 5 година
родитељ
комит
e844bbee15
3 измењених фајлова са 36 додато и 0 уклоњено
  1. 2 0
      borgmatic/config/schema.yaml
  2. 4 0
      docs/how-to/set-up-backups.md
  3. 30 0
      sample/systemd/borgmatic.service

+ 2 - 0
borgmatic/config/schema.yaml

@@ -29,6 +29,8 @@ map:
                     expanded. Multiple repositories are backed up to in
                     sequence. See ssh_command for SSH options like identity file
                     or port.
+                    If systemd service is used, then add local repository paths
+                    in the systemd service file to the ReadWritePaths list.
                 example:
                     - user@backupserver:sourcehostname.borg
             one_file_system:

+ 4 - 0
docs/how-to/set-up-backups.md

@@ -268,6 +268,10 @@ sudo mv borgmatic.service borgmatic.timer /etc/systemd/system/
 sudo systemctl enable --now borgmatic.timer
 ```
 
+Review the security settings in the service file and update them as needed.
+If `ProtectSystem=strict` is enabled and local repositories are used, then
+the repository path must be added to the `ReadWritePaths` list.
+
 Feel free to modify the timer file based on how frequently you'd like
 borgmatic to run.
 

+ 30 - 0
sample/systemd/borgmatic.service

@@ -7,6 +7,36 @@ ConditionACPower=true
 [Service]
 Type=oneshot
 
+# Security settings for systemd running as root
+# For more details about this settings check the systemd manuals
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+LockPersonality=true
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+# Restrict write access
+# Change to 'ProtectSystem=strict' and uncomment 'ProtectHome' to make the whole file
+# system read-only be default and uncomment 'ReadWritePaths' for the required write access.
+# Add local repositroy paths to the list of 'ReadWritePaths' like '-/mnt/my_backup_drive'.
+ProtectSystem=full
+# ProtectHome=read-only
+# ReadWritePaths=-/root/.config/borg -/root/.cache/borg -/root/.borgmatic
+
+CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_NET_RAW
+
 # Lower CPU and I/O priority.
 Nice=19
 CPUSchedulingPolicy=batch