FS#61162 : [postgresql] enhance systemd hardening

FS#61162 - [postgresql] enhance systemd hardening

Attached to Project: Arch Linux
Opened by Remi Gacogne (rgacogne) - Sunday, 23 December 2018, 16:21 GMT
Last edited by freswa (frederik) - Wednesday, 12 February 2020, 11:51 GMT

Task Type	Feature Request
Category	Packages
Status	Closed
Assigned To	Dan McGee (toofishes) Levente Polyak (anthraxx)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	0
Private	No

Details

Description:

Since we are currently providing the systemd service file for PostgreSQL, it would be nice to enhance a bit the hardening options that we use there. We currently have:

PrivateTmp=true
ProtectHome=true
ProtectSystem=full
NoNewPrivileges=true

I have been running with these additional restrictions for a while without any issue, and unless someone sees something wrong with them I think it would make sense to add them to the service file:

ProtectControlGroups=true
ProtectKernelModules=true
ProtectKernelTunables=true
PrivateDevices=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
RestrictRealtime=true
SystemCallArchitectures=native

This task depends upon

Closed by freswa (frederik)
Wednesday, 12 February 2020, 11:51 GMT
Reason for closing: Fixed
Additional comments about closing: 11.5-1

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#61162 - [postgresql] enhance systemd hardening

Details

Loading...