Further sandbox beesd using systemd.exec options

I've verified that using this setup, user will be able to access the log in /run/bees, but cannot access the mounted filesystem. Signed-off-by: Jiahao XU <Jiahao_XU@outlook.com>
2025-05-17 13:25:45 +02:00 · 2021-09-04 17:37:01 +10:00 · 2021-09-04 17:37:01 +10:00 · c79eb1d704
commit c79eb1d704
parent 522e52618e
1 changed files with 33 additions and 1 deletions
--- a/scripts/beesd@.service.in
+++ b/scripts/beesd@.service.in
@ -20,7 +20,39 @@ Restart=on-abnormal
 StartupCPUWeight=25
 StartupIOWeight=25

-PrivateMounts=true
+# Hide other users' process in /proc/
+ProtectProc=invisible
+
+# Mount / as read-only
+ProtectSystem=strict
+
+# Forbidden access to /home, /root and /run/user
+ProtectHome=true
+
+# Mount tmpfs on /tmp/ and /var/tmp/.
+# Cannot mount at /run/ or /var/run/ for they are used by systemd.
+PrivateTmp=true
+
+# Disable network access
+PrivateNetwork=true
+
+# Use private IPC namespace, user namespace, utc namespace
+PrivateIPC=true
+ProtectHostname=true
+
+# Disable write access to kernel variables throug /proc
+ProtectKernelTunables=true
+
+# Disable access to control groups
+ProtectControlGroups=true
+
+# Set capabilities of the new program
+# The first three are required for accessing any file on the mounted filesystem.
+# The last one is required for mounting the filesystem.
+AmbientCapabilities=CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_SYS_ADMIN
+
+# With NoNewPrivileges, running sudo cannot gain any new privilege
+NoNewPrivileges=true

 [Install]
 WantedBy=basic.target