packaging: systemd unit hardening (#38109)

2021-09-02 14:36:35 +02:00 · 2021-09-02 14:36:35 +02:00 · 5f521bd9ae
parent 7e6cf14c84
commit 5f521bd9ae
2 changed files with 55 additions and 0 deletions
--- a/packaging/deb/systemd/grafana-server.service
+++ b/packaging/deb/systemd/grafana-server.service
@ -26,6 +26,33 @@ ExecStart=/usr/sbin/grafana-server
 LimitNOFILE=10000
 TimeoutStopSec=20
 CapabilityBoundingSet=
 DeviceAllow=
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
 PrivateUsers=true
 ProcSubset=pid
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectProc=invisible
 ProtectSystem=full
 RemoveIPC=true
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged
 SystemCallFilter=~@resources
 UMask=0027
 [Install]
--- a/packaging/rpm/systemd/grafana-server.service
+++ b/packaging/rpm/systemd/grafana-server.service
@ -25,6 +25,34 @@ ExecStart=/usr/sbin/grafana-server
 LimitNOFILE=10000
 TimeoutStopSec=20
 CapabilityBoundingSet=
 DeviceAllow=
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
 PrivateUsers=true
 ProcSubset=pid
 ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
 ProtectProc=invisible
 ProtectSystem=full
 RemoveIPC=true
 RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
 RestrictNamespaces=true
 RestrictRealtime=true
 RestrictSUIDSGID=true
 SystemCallArchitectures=native
 SystemCallFilter=@system-service
 SystemCallFilter=~@privileged
 SystemCallFilter=~@resources
 UMask=0027
 [Install]
 WantedBy=multi-user.target