MDEV-10298: Systemd hardening

Add ProtectSystem=full, NoNewPrivileges=true, PrivateDevices=true, and ProtectHome=true to the systemd units.

MDEV-10298: Systemd hardening
Add ProtectSystem=full, NoNewPrivileges=true, PrivateDevices=true, and ProtectHome=true to the systemd units.
53e7fcca · Craig Andrews · Sergey Vojtovich · f280a87c · 53e7fcca · 53e7fcca
Commit 53e7fcca authored Jun 28, 2016 by Craig Andrews Committed by Sergey Vojtovich Jul 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 20 additions and 0 deletions

support-files/mariadb.service.in support-files/mariadb.service.in +10 -0

support-files/mariadb@.service.in support-files/mariadb@.service.in +10 -0

No files found.
--- a/support-files/mariadb.service.in
+++ b/support-files/mariadb.service.in
@@ -45,6 +45,16 @@ Group=mysql
 # To allow memlock to be used as non-root user if set in configuration
 CapabilityBoundingSet=CAP_IPC_LOCK

+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+NoNewPrivileges=true
+
+PrivateDevices=true
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true


--- a/support-files/mariadb@.service.in
+++ b/support-files/mariadb@.service.in
@@ -52,6 +52,16 @@ Group=mysql
 # To allow memlock to be used as non-root user if set in configuration
 CapabilityBoundingSet=CAP_IPC_LOCK

+# Prevent writes to /usr, /boot, and /etc
+ProtectSystem=full
+
+NoNewPrivileges=true
+
+PrivateDevices=true
+
+# Prevent accessing /home, /root and /run/user
+ProtectHome=true
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true