From 6ee2696c53f63ac769124e36520870cc38e5df02 Mon Sep 17 00:00:00 2001 From: JustArchi Date: Sat, 1 Oct 2022 00:22:39 +0200 Subject: [PATCH] Revert "Add explanation to ASF service hardening (#2707)" This reverts commit f09c7cbb19ee7f6e7a5f20870ace97a16bba2735. --- .../linux/ArchiSteamFarm@.service | 40 +++++++++---------- .../generic-netf/ArchiSteamFarm@.service | 40 +++++++++---------- .../generic/ArchiSteamFarm@.service | 40 +++++++++---------- 3 files changed, 60 insertions(+), 60 deletions(-) diff --git a/ArchiSteamFarm/overlay/variant-base/linux/ArchiSteamFarm@.service b/ArchiSteamFarm/overlay/variant-base/linux/ArchiSteamFarm@.service index 8ae39cb7e..710b2cdfc 100644 --- a/ArchiSteamFarm/overlay/variant-base/linux/ArchiSteamFarm@.service +++ b/ArchiSteamFarm/overlay/variant-base/linux/ArchiSteamFarm@.service @@ -10,26 +10,26 @@ SyslogIdentifier=asf-%i User=%i # ASF security hardening, all of the below entries are optional, but their existence improves security of your system -LockPersonality=yes # ASF cannot change ABI personality -PrivateDevices=yes # ASF has no access to hardware devices -PrivateIPC=yes # ASF has private IPC namespace. -PrivateMounts=yes # ASF cannot install system mounts -PrivateUsers=yes # ASF does not have access to other users -ProtectClock=yes # ASF cannot write to the hardware clock or system clock -ProtectControlGroups=yes # ASF cannot modify the control group file system -ProtectHome=read-only # ASF has read-only access to home directories -ProtectHostname=yes # ASF cannot change system host/domainname -ProtectKernelLogs=yes # ASF cannot read from or write to the kernel log ring buffer -ProtectKernelModules=yes # ASF cannot load or read kernel modules -ProtectKernelTunables=yes # ASF cannot alter kernel tunables (/proc/sys, ^` ) -ProtectProc=invisible # ASF has restricted access to process tree (/proc hidepid=) -ProtectSystem=strict # ASF has strict read-only access to the OS file hierarchy -ReadWritePaths=/home/%i/ArchiSteamFarm /tmp # ASF only has read/write privileges to these paths -RemoveIPC=yes # ASF user cannot leave SysV IPC objects around -RestrictAddressFamilies=AF_INET AF_INET6 # ASF may allocate Internet sockets -RestrictNamespaces=yes # ASF cannot create namespaces -RestrictRealtime=yes # ASF realtime scheduling access is restricted -RestrictSUIDSGID=yes # SUID/SGID file creation by ASF is restricted +LockPersonality=yes +PrivateDevices=yes +PrivateIPC=yes +PrivateMounts=yes +PrivateUsers=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/home/%i/ArchiSteamFarm /tmp +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes [Unit] After=network.target diff --git a/ArchiSteamFarm/overlay/variant-specific/generic-netf/ArchiSteamFarm@.service b/ArchiSteamFarm/overlay/variant-specific/generic-netf/ArchiSteamFarm@.service index f85aade15..b2e63485c 100644 --- a/ArchiSteamFarm/overlay/variant-specific/generic-netf/ArchiSteamFarm@.service +++ b/ArchiSteamFarm/overlay/variant-specific/generic-netf/ArchiSteamFarm@.service @@ -10,26 +10,26 @@ SyslogIdentifier=asf-%i User=%i # ASF security hardening, all of the below entries are optional, but their existence improves security of your system -LockPersonality=yes # ASF cannot change ABI personality -PrivateDevices=yes # ASF has no access to hardware devices -PrivateIPC=yes # ASF has private IPC namespace. -PrivateMounts=yes # ASF cannot install system mounts -PrivateUsers=yes # ASF does not have access to other users -ProtectClock=yes # ASF cannot write to the hardware clock or system clock -ProtectControlGroups=yes # ASF cannot modify the control group file system -ProtectHome=read-only # ASF has read-only access to home directories -ProtectHostname=yes # ASF cannot change system host/domainname -ProtectKernelLogs=yes # ASF cannot read from or write to the kernel log ring buffer -ProtectKernelModules=yes # ASF cannot load or read kernel modules -ProtectKernelTunables=yes # ASF cannot alter kernel tunables (/proc/sys, ^` ) -ProtectProc=invisible # ASF has restricted access to process tree (/proc hidepid=) -ProtectSystem=strict # ASF has strict read-only access to the OS file hierarchy -ReadWritePaths=/home/%i/ArchiSteamFarm /tmp # ASF only has read/write privileges to these paths -RemoveIPC=yes # ASF user cannot leave SysV IPC objects around -RestrictAddressFamilies=AF_INET AF_INET6 # ASF may allocate Internet sockets -RestrictNamespaces=yes # ASF cannot create namespaces -RestrictRealtime=yes # ASF realtime scheduling access is restricted -RestrictSUIDSGID=yes # SUID/SGID file creation by ASF is restricted +LockPersonality=yes +PrivateDevices=yes +PrivateIPC=yes +PrivateMounts=yes +PrivateUsers=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/home/%i/ArchiSteamFarm /tmp +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes [Unit] After=network.target diff --git a/ArchiSteamFarm/overlay/variant-specific/generic/ArchiSteamFarm@.service b/ArchiSteamFarm/overlay/variant-specific/generic/ArchiSteamFarm@.service index c9d069ec3..da3e1ef63 100644 --- a/ArchiSteamFarm/overlay/variant-specific/generic/ArchiSteamFarm@.service +++ b/ArchiSteamFarm/overlay/variant-specific/generic/ArchiSteamFarm@.service @@ -10,26 +10,26 @@ SyslogIdentifier=asf-%i User=%i # ASF security hardening, all of the below entries are optional, but their existence improves security of your system -LockPersonality=yes # ASF cannot change ABI personality -PrivateDevices=yes # ASF has no access to hardware devices -PrivateIPC=yes # ASF has private IPC namespace. -PrivateMounts=yes # ASF cannot install system mounts -PrivateUsers=yes # ASF does not have access to other users -ProtectClock=yes # ASF cannot write to the hardware clock or system clock -ProtectControlGroups=yes # ASF cannot modify the control group file system -ProtectHome=read-only # ASF has read-only access to home directories -ProtectHostname=yes # ASF cannot change system host/domainname -ProtectKernelLogs=yes # ASF cannot read from or write to the kernel log ring buffer -ProtectKernelModules=yes # ASF cannot load or read kernel modules -ProtectKernelTunables=yes # ASF cannot alter kernel tunables (/proc/sys, ^` ) -ProtectProc=invisible # ASF has restricted access to process tree (/proc hidepid=) -ProtectSystem=strict # ASF has strict read-only access to the OS file hierarchy -ReadWritePaths=/home/%i/ArchiSteamFarm /tmp # ASF only has read/write privileges to these paths -RemoveIPC=yes # ASF user cannot leave SysV IPC objects around -RestrictAddressFamilies=AF_INET AF_INET6 # ASF may allocate Internet sockets -RestrictNamespaces=yes # ASF cannot create namespaces -RestrictRealtime=yes # ASF realtime scheduling access is restricted -RestrictSUIDSGID=yes # SUID/SGID file creation by ASF is restricted +LockPersonality=yes +PrivateDevices=yes +PrivateIPC=yes +PrivateMounts=yes +PrivateUsers=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=read-only +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWritePaths=/home/%i/ArchiSteamFarm /tmp +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes [Unit] After=network.target