fix(linux): drop risky sandbox directives that break Rust network daemons
Integration test failed with exit 7 on curl to /health after a successful install — service started but never listened. The likely culprits are MemoryDenyWriteExecute (breaks jemalloc/some crypto), SystemCallFilter ~@privileged @resources (blocks setrlimit and friends tokio may use), and RestrictNamespaces/LockPersonality (occasional foot-guns). Pull them and keep a conservative hardening set that's well-tested with Rust network services: no-new-privs, protect-system/home, private tmp and devices, protect-kernel-*, restrict-realtime/suid/address-families. Layer the aggressive bits back in follow-up PRs once tested individually.
This commit is contained in:
Razvan Dimescu
10
numa.service
10
numa.service
@@ -22,7 +22,9 @@ StateDirectoryMode=0750
|
||||
ConfigurationDirectory=numa
|
||||
ConfigurationDirectoryMode=0755
|
||||
|
||||
# Sandboxing
|
||||
# Sandboxing — conservative set known to work with Rust network daemons.
|
||||
# Aggressive hardening (MemoryDenyWriteExecute, SystemCallFilter, seccomp
|
||||
# allow-lists) can be layered on once tested in isolation.
|
||||
NoNewPrivileges=true
|
||||
ProtectSystem=strict
|
||||
ProtectHome=true
|
||||
@@ -31,14 +33,8 @@ PrivateDevices=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectKernelModules=true
|
||||
ProtectControlGroups=true
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~@privileged @resources
|
||||
# AF_NETLINK for interface enumeration on network changes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
|
||||
|
||||
|
||||
Reference in New Issue
Block a user