scx_loader: Lockdown systemd service #25
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sirlucjan
approved these changes
Nov 28, 2025
Collaborator
I'm not sure about above, but LGTM overall. |
Collaborator
Author
Probably not needed since we don't do any networking, but would protect against the binary getting replaced with a malicious one that adds networking, or if any crate we depend on goes rogue or has a malicious upload. Honestly I think most of these options are overkill, but preemptively restricting perms and capabilities as much as possible will reduce the chances of new security issues springing up in future. |
Collaborator
|
Breaks only rustland |
Collaborator
|
worked with that diff (generated using shh) @@ -7,11 +7,8 @@
ExecStart=/usr/bin/scx_loader
KillSignal=SIGINT
ProtectSystem=full
-ProtectHome=true
PrivateTmp=disconnected
-PrivateDevices=true
PrivateMounts=true
-ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
@@ -24,8 +21,8 @@
SocketBindDeny=ipv4:udp
SocketBindDeny=ipv6:tcp
SocketBindDeny=ipv6:udp
-CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_CHOWN CAP_IPC_LOCK CAP_MKNOD CAP_NET_RAW CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYSLOG CAP_WAKE_ALARM
-SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @keyring:EPERM @memlock:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @raw-io:EPERM @reboot:EPERM @sandbox:EPERM @setuid:EPERM @swap:EPERM @sync:EPERM @timer:EPERM
+CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_CHOWN CAP_MKNOD CAP_NET_RAW CAP_SYS_BOOT CAP_SYS_CHROOT CAP_SYS_MODULE CAP_SYS_PACCT CAP_SYS_PTRACE CAP_SYS_TIME CAP_SYSLOG CAP_WAKE_ALARM
+SystemCallFilter=~@aio:EPERM @chown:EPERM @clock:EPERM @cpu-emulation:EPERM @debug:EPERM @keyring:EPERM @module:EPERM @mount:EPERM @obsolete:EPERM @pkey:EPERM @raw-io:EPERM @reboot:EPERM @setuid:EPERM @swap:EPERM @sync:EPERM @timer:EPERM
[Install]
WantedBy=graphical.target |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an attempt to perform the systemd hardening suggested by #12 . The following options were determined by profiling the service with shh (systemd hardening helper). It was done by starting profiling with shh, running through every scxctl option (stop, start sched with modes/args, switch with modes/args, restart, get, list), then ending profiling. AFAICT everything works fine w/ the new hardening options, but I would appreciate testing to make sure it works on more than just my system.