systemd: Lock down cockpit-ws and -tls #21305
Merged
Commits on Nov 25, 2024
-
Now that cockpit-ws does not directly fork cockpit-session, and sessions run in their own service/cgroup, we can heavily lock down our webserver (which is the weakest component in Cockpit). It only needs to talk to cockpit-tls over stdin/out and cockpit-session over the Unix socket, and call SSH for remote host support (so we can't lock down networking completely). `DynamicUser=` already implies the biggest restrictions, such as `ProtectSystem=full`, `ProtectHome`, `PrivateTmp`, and more. We can even work with `ProtectSystem=strict` (i.e. everything being read-only except the service's /run directory and tmp dir). Fixes cockpit-project#21299 https://issues.redhat.com/browse/COCKPIT-1206
-
systemd: Clean up cockpit.service.in
Consistently use "yes" for boolean options. `DynamicUser` already implies `PrivateTmp` and `ProtectHome`.
-
systemd: Lock down cockpit-tls networking
cockpit-tls speaks to the outside world via socket activation, and to cockpit-ws via Unix socket. So it doesn't require much networking on its own.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.