From 75feac239cb4e70480d216ffad322a2797c970b2 Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Fri, 22 Nov 2024 14:56:47 +0100
Subject: [PATCH] systemd: Lock down cockpit-ws

Now that cockpit-ws does not directly fork cockpit-session, and sessions
run in their own service/cgroup, we can heavily lock down our webserver.
(which is the weakest component in Cockpit). It now can't do anything
any more except talking to cockpit-tls over stdin/out and
cockpit-session over the Unix socket.

Note that `DynamicUser=` already implies the biggest restrictions, such
as `ProtectSystem=full`, `ProtectHome`, `PrivateTmp`, and more. But we
can fine-tune it more.

Fixes #21299
https://issues.redhat.com/browse/COCKPIT-1206
---
 src/systemd/cockpit-wsinstance-http.service.in   | 14 ++++++++++++++
 src/systemd/cockpit-wsinstance-https@.service.in | 14 ++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/src/systemd/cockpit-wsinstance-http.service.in b/src/systemd/cockpit-wsinstance-http.service.in
index f2fc0328e3c..93daff3c325 100644
--- a/src/systemd/cockpit-wsinstance-http.service.in
+++ b/src/systemd/cockpit-wsinstance-http.service.in
@@ -9,3 +9,17 @@ After=cockpit-session.socket
 ExecStart=@libexecdir@/cockpit-ws --no-tls --port=0
 DynamicUser=true
 Group=cockpit-session-socket
+
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+SystemCallFilter=@system-service
+
+# cockpit-tls does all our outside networking
+PrivateNetwork=yes
+PrivateIPC=yes
+RestrictAddressFamilies=AF_UNIX
+
+# extra protection for our TLS keys -- only cockpit-tls should read them
+InaccessiblePaths=-/etc/cockpit/ws-certs.d
diff --git a/src/systemd/cockpit-wsinstance-https@.service.in b/src/systemd/cockpit-wsinstance-https@.service.in
index 8362f0aadfc..acfbc42bf3d 100644
--- a/src/systemd/cockpit-wsinstance-https@.service.in
+++ b/src/systemd/cockpit-wsinstance-https@.service.in
@@ -10,3 +10,17 @@ Slice=system-cockpithttps.slice
 ExecStart=@libexecdir@/cockpit-ws --for-tls-proxy --port=0
 DynamicUser=yes
 Group=cockpit-session-socket
+
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+SystemCallFilter=@system-service
+
+# cockpit-tls does all our outside networking
+PrivateNetwork=yes
+PrivateIPC=yes
+RestrictAddressFamilies=AF_UNIX
+
+# extra protection for our TLS keys -- only cockpit-tls should read them
+InaccessiblePaths=-/etc/cockpit/ws-certs.d