systemd: Lock down cockpit-ws

Now that cockpit-ws does not directly fork cockpit-session, and sessions run in their own service/cgroup, we can heavily lock down our webserver. (which is the weakest component in Cockpit). It now can't do anything any more except talking to cockpit-tls over stdin/out and cockpit-session over the Unix socket. Note that `DynamicUser=` already implies the biggest restrictions, such as `ProtectSystem=full`, `ProtectHome`, `PrivateTmp`, and more. But we can fine-tune it more. Fixes #21299 https://issues.redhat.com/browse/COCKPIT-1206
cockpit-project · Nov 22, 2024 · 75feac2 · 75feac2
1 parent c7d327f
commit 75feac2
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 0 deletions.
diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
@@ -9,3 +9,17 @@ After=cockpit-session.socket
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
 DynamicUser=true
 Group=cockpit-session-socket
+
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+SystemCallFilter=@system-service
+
+# cockpit-tls does all our outside networking
+PrivateNetwork=yes
+PrivateIPC=yes
+RestrictAddressFamilies=AF_UNIX
+
+# extra protection for our TLS keys -- only cockpit-tls should read them
+InaccessiblePaths=-/etc/cockpit/ws-certs.d
diff --git a/src/systemd/[email protected] b/src/systemd/[email protected]
@@ -10,3 +10,17 @@ Slice=system-cockpithttps.slice
 ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
 DynamicUser=yes
 Group=cockpit-session-socket
+
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+SystemCallFilter=@system-service
+
+# cockpit-tls does all our outside networking
+PrivateNetwork=yes
+PrivateIPC=yes
+RestrictAddressFamilies=AF_UNIX
+
+# extra protection for our TLS keys -- only cockpit-tls should read them
+InaccessiblePaths=-/etc/cockpit/ws-certs.d