From 55051e7fb31928e3475db1f93354806e10ef0ca1 Mon Sep 17 00:00:00 2001 From: LaserEyess Date: Thu, 28 Aug 2025 09:20:30 -0400 Subject: [PATCH] harden systemd service with safe defaults This commit adds hardening to the systemd service with a variety of knobs designed to restrict damage that rsync can do as root, while making sure that no file transfers are interrupted. For example, ProtectHome= is still off, and CapabilityBoundingSet is still unlimited to allow for chown/chmod to work unimpeded. The rsync@.service has some additional options to restrict all network access and only use the socket on stdin. An equivalent change was done in rsync.service to only allow TCP, but full network isolation is not possible for that unit. --- packaging/systemd/rsync.service | 23 +++++++++++++++++++++++ packaging/systemd/rsync@.service | 24 ++++++++++++++++++++++++ 2 files changed, 47 insertions(+) diff --git a/packaging/systemd/rsync.service b/packaging/systemd/rsync.service index 8a867ca64..0012b9824 100644 --- a/packaging/systemd/rsync.service +++ b/packaging/systemd/rsync.service @@ -25,8 +25,31 @@ Restart=on-failure ProtectSystem=full #ProtectHome=on|off|read-only + +# These are general hardening parameters that should not affect file access PrivateDevices=on NoNewPrivileges=on +MemoryDenyWriteExecute=on +LockPersonality=on +PrivateTmp=on +ProtectClock=on +ProtectControlGroups=on +ProtectHostname=on +ProtectKernelLogs=on +ProtectKernelModules=on +ProtectKernelTunables=on +ProtectProc=invisible +ProcSubset=pid +RestrictNamespaces=on +RestrictRealtime=on +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service + +# We only listen on TCP sockets +SocketBindAllow=ipv4:tcp +SocketBindAllow=ipv6:tcp +SocketBindDeny=any [Install] WantedBy=multi-user.target diff --git a/packaging/systemd/rsync@.service b/packaging/systemd/rsync@.service index 63ba0c7c4..83390002c 100644 --- a/packaging/systemd/rsync@.service +++ b/packaging/systemd/rsync@.service @@ -24,5 +24,29 @@ StandardError=journal ProtectSystem=full #ProtectHome=on|off|read-only + +# These are general hardening parameters that should not affect file access PrivateDevices=on NoNewPrivileges=on +MemoryDenyWriteExecute=on +LockPersonality=on +PrivateTmp=on +ProtectClock=on +ProtectControlGroups=on +ProtectHostname=on +ProtectKernelLogs=on +ProtectKernelModules=on +ProtectKernelTunables=on +ProtectProc=invisible +ProcSubset=pid +RestrictNamespaces=on +RestrictRealtime=on +SystemCallArchitectures=native +SystemCallErrorNumber=EPERM +SystemCallFilter=@system-service + +# These settings work only for inetd-style activation +RestrictAddressFamilies=AF_UNIX +PrivateNetwork=on +IPAddressDeny=any +