nvme-cli/0100-harden_nvmf-connect@.service.patch

38 lines
1.3 KiB
Diff
Raw Permalink Normal View History

From a4fe9c98d74447ca96ba59610368486640fdbfd6 Mon Sep 17 00:00:00 2001
From: Daniel Wagner <dwagner@suse.de>
Date: Fri, 29 Sep 2023 14:28:16 +0200
Subject: [PATCH] systemd hardening effort
https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
Apply the recommended hardening settings but without
"ProtectKernelTunables=true" as we need write access to /sys.
Signed-off-by: Daniel Wagner <dwagner@suse.de>
---
nvmf-autoconnect/systemd/nvmf-connect@.service.in | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/nvmf-autoconnect/systemd/nvmf-connect@.service.in b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
index 5ba708..129cb4 100644
--- a/nvmf-autoconnect/systemd/nvmf-connect@.service.in
+++ b/nvmf-autoconnect/systemd/nvmf-connect@.service.in
@@ -11,6 +11,14 @@ PartOf=nvmf-connect.target
Requires=nvmf-connect.target
[Service]
+# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
Type=simple
Environment="CONNECT_ARGS=%i"
ExecStart=/bin/sh -c "@SBINDIR@/nvme connect-all --context=autoconnect --quiet `/bin/echo -e '${CONNECT_ARGS}'`"
--
2.42.0