Fedora 40’s Intention to Implement System Service Isolation

by

In Fedora 40 release proposed enable isolation settings for default enabled system systemd services, as well as services with important applications such as PostgreSQL, Apache httpd, Nginx and MariaDB. It is expected that the change will significantly increase the security of the distribution in the default configuration and will make it possible to block unknown vulnerabilities in system services. Offer has not yet been reviewed by the FESCo (Fedora Engineering Steering Committee), which is responsible for the technical part of the development of the Fedora distribution. A proposal may also be rejected during the community review process.

Recommended for inclusion settings:

Advertisement

  • PrivateTmp=yes – providing separate directories with temporary files.
  • ProtectSystem=yes/full/strict – mount the FS in read-only mode (in “full” mode – /etc/, in strict mode – all except /dev/, /proc/ and /sys/)
  • ProtectHome=yes – deny access to user home directories
  • PrivateDevices=yes – leaving access only to /dev/null, /dev/zero and /dev/random
  • ProtectKernelTunables=yes – read-only access to /proc/sys/, /sys/, /proc/acpi, /proc/fs, /proc/irq, etc.
  • ProtectKernelModules=yes – prohibit loading kernel modules.
  • ProtectKernelLogs=yes – prohibits access to the buffer with kernel logs.
  • ProtectControlGroups=yes – read-only access to /sys/fs/cgroup/
  • NoNewPrivileges=yes – prohibiting elevation of privileges through the setuid, setgid and capabilities flags.
  • PrivateNetwork=yes – placement in a separate namespace of the network stack.
  • ProtectClock=yes – prohibit time changes.
  • ProtectHostname=yes – prohibits changing the host name.
  • ProtectProc=invisible – hiding other people’s processes in /proc.
  • User=

Additionally, you may consider enabling the following settings:

  • CapabilityBoundingSet=
  • DevicePolicy=closed
  • KeyringMode=private
  • LockPersonality=yes
  • MemoryDenyWriteExecute=yes
  • PrivateUsers=yes
  • RemoveIPC=yes
  • RestrictAddressFamilies=
  • RestrictNamespaces=yes
  • RestrictRealtime=yes
  • RestrictSUIDSGID=yes
  • SystemCallFilter=
  • SystemCallArchitectures=native

Thanks for reading:

Advertisement