Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict systemd services #975

Open
wants to merge 21 commits into
base: main
Choose a base branch
from
Open

Restrict systemd services #975

wants to merge 21 commits into from

Conversation

gngram
Copy link
Contributor

@gngram gngram commented Jan 27, 2025
edited
Loading

Description of changes

Apply more restrictions on following Systemd services:
- dnsmasq
- firewall
- enable-ksm
- generate-shutdown-ramfs
- kmod-static-node
- NetworkManager-dispatcher
- logrotate-checkconf
- logrotate
- nscd
- seatd
- systemd-journal-catalog-update
- systemd-journal-flush
- systemd-random-seed
- systemd-remount-fs
- systemd-rfkill
- systemd-tmpfiles-clean
- systemd-tmpfiles-setup-dev
- systemd-tmpfiles-setup
- systemd-udev-trigger
- NetworkManager

Removed some disabled services
Cleanup of dbus and greetd.

Checklist for things done

  • Summary of the proposed changes in the PR description
  • More detailed description in the commit message(s)
  • Commits are squashed into relevant entities - avoid a lot of minimal dev time commits in the PR
  • Contribution guidelines followed
  • Ghaf documentation updated with the commit - https://tiiuae.github.io/ghaf/
  • PR linked to architecture documentation and requirement(s) (ticket id)
  • Test procedure described (or includes tests). Select one or more:
    • Tested on Lenovo X1 x86_64
    • Tested on Jetson Orin NX or AGX aarch64
    • Tested on Polarfire riscv64
  • Author has run make-checks and it passes
  • All automatic Github Action checks pass - see actions
  • Author has added reviewers and removed PR draft status
  • Change requires full re-installation
  • Change can be updated with nixos-rebuild ... switch

Instructions for Testing

  • List all targets that this applies to:
    • All
  • Is this a new feature
    • List the test steps to verify:
      • Test system functionality
  • If it is an improvement how does it impact existing functionality?

@gngram gngram temporarily deployed to internal-build-workflow January 27, 2025 09:44 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from 37b0479 to 0fc44b5 Compare January 28, 2025 07:14
@gngram gngram temporarily deployed to internal-build-workflow January 28, 2025 07:14 — with GitHub Actions Inactive
@gngram gngram added the Needs Testing CI Team to pre-verify label Jan 28, 2025
@gngram gngram force-pushed the pr__restrict_systemd-services branch from 0fc44b5 to 40bb7ac Compare February 1, 2025 18:53
@gngram gngram temporarily deployed to internal-build-workflow February 1, 2025 18:53 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from 40bb7ac to 7739dc2 Compare February 1, 2025 19:40
@gngram gngram temporarily deployed to internal-build-workflow February 1, 2025 19:40 — with GitHub Actions Inactive
@milva-unikie
Copy link

Have the comments been addressed, is this ready for testing? A rebase would be nice too.

@mbssrc mbssrc removed the Needs Testing CI Team to pre-verify label Feb 7, 2025
@gngram gngram force-pushed the pr__restrict_systemd-services branch from 7739dc2 to 78341ea Compare February 13, 2025 12:42
@gngram gngram temporarily deployed to internal-build-workflow February 13, 2025 12:42 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from 78341ea to e339e52 Compare February 17, 2025 09:39
@gngram gngram temporarily deployed to internal-build-workflow February 17, 2025 09:39 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from e339e52 to c86fdbc Compare February 18, 2025 11:07
@gngram gngram temporarily deployed to internal-build-workflow February 18, 2025 11:07 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from c86fdbc to fc3aa55 Compare February 19, 2025 11:44
@gngram gngram temporarily deployed to internal-build-workflow February 19, 2025 11:44 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from fc3aa55 to 4bedf93 Compare March 5, 2025 08:52
@gngram gngram temporarily deployed to internal-build-workflow March 5, 2025 08:53 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from 4bedf93 to 47e1a89 Compare March 5, 2025 10:34
@gngram gngram temporarily deployed to internal-build-workflow March 5, 2025 10:34 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from 47e1a89 to 2050e35 Compare March 5, 2025 13:11
@gngram gngram temporarily deployed to internal-build-workflow March 5, 2025 13:11 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from 2050e35 to f3e7030 Compare March 5, 2025 13:58
@gngram gngram temporarily deployed to internal-build-workflow March 5, 2025 13:58 — with GitHub Actions Inactive
@gngram gngram temporarily deployed to internal-build-workflow March 6, 2025 10:51 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from 7795bc3 to f28b285 Compare March 6, 2025 11:38
@gngram gngram temporarily deployed to internal-build-workflow March 6, 2025 11:38 — with GitHub Actions Inactive
gngram added 20 commits March 6, 2025 16:45
@gngram
dnsmasq service config
2ee4d7d 
- Cleanup dbus dervice
- Strict configs for dnsmasq service
- Service is not enabled by default in Ghaf
- Tested in net-vm using following config and allowing the port 1053:

```
  services.dnsmasq = {
    enable = true;
      settings = {
        bogus-priv = true;
        domain-needed = true;
        interface = "wlp0s5f0";
        listen-address = [ "0.0.0.0" ];
        port = 1053;
      };
     };
```

Signed-off-by: Ganga Ram <[email protected]>
@gngram
enable-ksm service config
c24dcaa 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
firewall service config
780a7db 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
generate-shutdown-ramfs service config
7f6978d 
- Cleanup greetd service

Signed-off-by: Ganga Ram <[email protected]>
@gngram
kmod-static-nodes service config
5dfc46d 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
NetworkManager-dispatcher service config
c96b9e2 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
logrotate-checkconf service config
e1a4d81 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
logrotate service config
6a093e1 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
nscd service config
518408f 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
seatd service config
48fcfc3 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
systemd-journal-catalog-update service config
6636414 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
systemd-journal-flush service config
ac05ae6 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
systemd-random-seed service config
6543263 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
systemd-remount-fs service config
74622dc 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
systemd-rfkill service config
1020569 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
systemd-tmpfiles-clean service config
b4abe99 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
systemd-tmpfiles-setup-dev service config
e3af93b 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
systemd-tmpfiles-setup service config
4aa53f3 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
systemd-udev-trigger service config
7812372 
Signed-off-by: Ganga Ram <[email protected]>
@gngram
NetworkManager service config
c105479 
Signed-off-by: Ganga Ram <[email protected]>
@gngram gngram force-pushed the pr__restrict_systemd-services branch from f28b285 to a0ced67 Compare March 6, 2025 13:14
@gngram gngram temporarily deployed to internal-build-workflow March 6, 2025 13:14 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from a0ced67 to b9ebec0 Compare March 6, 2025 13:31
@gngram gngram temporarily deployed to internal-build-workflow March 6, 2025 13:31 — with GitHub Actions Inactive
@gngram gngram force-pushed the pr__restrict_systemd-services branch from b9ebec0 to 879876a Compare March 7, 2025 09:09
@gngram gngram temporarily deployed to internal-build-workflow March 7, 2025 09:09 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbssrc mbssrc mbssrc left review comments

@brianmcgillion brianmcgillion Awaiting requested review from brianmcgillion

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gngram @milva-unikie @mbssrc