FS#61162 - [postgresql] enhance systemd hardening
Attached to Project:
Arch Linux
Opened by Remi Gacogne (rgacogne) - Sunday, 23 December 2018, 16:21 GMT
Last edited by freswa (frederik) - Wednesday, 12 February 2020, 11:51 GMT
Opened by Remi Gacogne (rgacogne) - Sunday, 23 December 2018, 16:21 GMT
Last edited by freswa (frederik) - Wednesday, 12 February 2020, 11:51 GMT
|
Details
Description:
Since we are currently providing the systemd service file for PostgreSQL, it would be nice to enhance a bit the hardening options that we use there. We currently have: PrivateTmp=true ProtectHome=true ProtectSystem=full NoNewPrivileges=true I have been running with these additional restrictions for a while without any issue, and unless someone sees something wrong with them I think it would make sense to add them to the service file: ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true PrivateDevices=true RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=true RestrictRealtime=true SystemCallArchitectures=native |
This task depends upon
Closed by freswa (frederik)
Wednesday, 12 February 2020, 11:51 GMT
Reason for closing: Fixed
Additional comments about closing: 11.5-1
Wednesday, 12 February 2020, 11:51 GMT
Reason for closing: Fixed
Additional comments about closing: 11.5-1