Date: prev next · Thread: first prev next last
2020 Archives by date, by thread · List index 

Hello,
as part of the effort to package LOOL for NixOS, I've been trying to use the systemd sandboxing 
options[1] with loolwsd. They are a simple way of isolating the daemon from the rest of the system.

I don't have a non-NixOS setup to test these and don't want to create untested gerrit change. Would 
anyone be interested in testing the attached patch and submitting it if it works?

Cheers,
Martin

[1] https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Sandboxing
diff --git a/loolwsd.service b/loolwsd.service
index 93e98fd67..8845569fb 100644
--- a/loolwsd.service
+++ b/loolwsd.service
@@ -11,5 +11,24 @@ User=lool
 KillMode=control-group
 Restart=always
 
+ProtectSystem=strict
+ReadWritePaths=/opt/lool
+
+ProtectHome=yes
+NoNewPrivileges=yes
+PrivateTmp=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+LockPersonality=yes
+#MemoryDenyWriteExecute=yes # probably breaks java
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+AmbientCapabilities=CAP_FOWNER CAP_MKNOD CAP_SYS_CHROOT
+CapabilityBoundingSet=CAP_FOWNER CAP_MKNOD CAP_SYS_CHROOT
+
 [Install]
 WantedBy=multi-user.target

Context

Privacy Policy | Impressum (Legal Info) | Copyright information: Unless otherwise specified, all text and images on this website are licensed under the Creative Commons Attribution-Share Alike 3.0 License. This does not include the source code of LibreOffice, which is licensed under the Mozilla Public License (MPLv2). "LibreOffice" and "The Document Foundation" are registered trademarks of their corresponding registered owners or are in actual use as trademarks in one or more countries. Their respective logos and icons are also subject to international copyright laws. Use thereof is explained in our trademark policy.