From 4c18cf5ef25d6708149fe1bda2b9a66ca213f93e Mon Sep 17 00:00:00 2001 From: Jonas L Date: Tue, 27 Sep 2022 11:51:17 +0200 Subject: [PATCH] feat: systemd service hardening (#2186) --- .../systemd/libretime-analyzer.service | 18 ++++++++++++-- api/install/systemd/libretime-api.service | 24 ++++++++++++++----- .../systemd/libretime-liquidsoap.service | 18 ++++++++++++-- .../install/systemd/libretime-playout.service | 18 ++++++++++++-- .../install/systemd/libretime-worker.service | 18 ++++++++++++-- 5 files changed, 82 insertions(+), 14 deletions(-) diff --git a/analyzer/install/systemd/libretime-analyzer.service b/analyzer/install/systemd/libretime-analyzer.service index 8c3d95eaf..edc8f8f03 100644 --- a/analyzer/install/systemd/libretime-analyzer.service +++ b/analyzer/install/systemd/libretime-analyzer.service @@ -3,14 +3,28 @@ Description=LibreTime Media Analyzer Service PartOf=libretime.target [Service] -Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/analyzer.log +NoNewPrivileges=true +CapabilityBoundingSet= +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full + Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ +Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/analyzer.log WorkingDirectory=@@WORKING_DIR@@/analyzer ExecStart=/usr/local/bin/libretime-analyzer +Restart=always + User=libretime Group=libretime -Restart=always [Install] WantedBy=multi-user.target diff --git a/api/install/systemd/libretime-api.service b/api/install/systemd/libretime-api.service index 0a15a95a5..670af405c 100644 --- a/api/install/systemd/libretime-api.service +++ b/api/install/systemd/libretime-api.service @@ -4,13 +4,24 @@ Requires=libretime-api.socket PartOf=libretime.target [Service] +NoNewPrivileges=true +CapabilityBoundingSet= +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full + +Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ +Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/api.log + Type=notify KillMode=mixed -PrivateTmp=true - -Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/api.log -Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ - ExecStart=/usr/bin/gunicorn \ --workers 4 \ --worker-class uvicorn.workers.UvicornWorker \ @@ -18,9 +29,10 @@ ExecStart=/usr/bin/gunicorn \ --bind unix:/run/libretime-api.sock \ libretime_api.asgi ExecReload=/bin/kill -s HUP $MAINPID +Restart=always + User=libretime Group=libretime -Restart=always [Install] WantedBy=multi-user.target diff --git a/playout/install/systemd/libretime-liquidsoap.service b/playout/install/systemd/libretime-liquidsoap.service index acc7a9266..4d1b571f4 100644 --- a/playout/install/systemd/libretime-liquidsoap.service +++ b/playout/install/systemd/libretime-liquidsoap.service @@ -3,14 +3,28 @@ Description=LibreTime Liquidsoap Service PartOf=libretime.target [Service] -Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/liquidsoap.log +NoNewPrivileges=true +CapabilityBoundingSet= +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full + Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ +Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/liquidsoap.log WorkingDirectory=@@WORKING_DIR@@/playout ExecStart=/usr/local/bin/libretime-liquidsoap +Restart=always + User=libretime Group=libretime -Restart=always [Install] WantedBy=multi-user.target diff --git a/playout/install/systemd/libretime-playout.service b/playout/install/systemd/libretime-playout.service index cf9dcd65e..f56a50257 100644 --- a/playout/install/systemd/libretime-playout.service +++ b/playout/install/systemd/libretime-playout.service @@ -5,14 +5,28 @@ Wants=libretime-liquidsoap.service After=libretime-liquidsoap.service [Service] -Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/playout.log +NoNewPrivileges=true +CapabilityBoundingSet= +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full + Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ +Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/playout.log WorkingDirectory=@@WORKING_DIR@@/playout ExecStart=/usr/local/bin/libretime-playout +Restart=always + User=libretime Group=libretime -Restart=always [Install] WantedBy=multi-user.target diff --git a/worker/install/systemd/libretime-worker.service b/worker/install/systemd/libretime-worker.service index a8263e3a8..57c39a170 100644 --- a/worker/install/systemd/libretime-worker.service +++ b/worker/install/systemd/libretime-worker.service @@ -3,8 +3,21 @@ Description=LibreTime Worker Service PartOf=libretime.target [Service] -Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/worker.log +NoNewPrivileges=true +CapabilityBoundingSet= +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=full + Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ +Environment=LIBRETIME_LOG_FILEPATH=@@LOG_DIR@@/worker.log WorkingDirectory=@@WORKING_DIR@@/worker ExecStart=/usr/bin/sh -c 'celery worker \ @@ -14,9 +27,10 @@ ExecStart=/usr/bin/sh -c 'celery worker \ --concurrency=1 \ --loglevel=INFO \ --logfile=$LIBRETIME_LOG_FILEPATH' +Restart=always + User=libretime Group=libretime -Restart=always [Install] WantedBy=multi-user.target