By now you have probably read all about how systemd is so easy to “crash” that one can make it fit in a tweet (How to Crash Systemd in One Tweet). This post...
French: slides, article, video, SSTIC 2017 website.
English: slides, video (mp4, webm), RMLL Ubicast page.
Since then, upstream systemd developers added a lot of interesting features, so let’s review some of them.
@system-servicesystem call whitelist
SystemCallFilter option, you may now use the
@system-service group to whitelist all common system calls used by system services. I usually like to combine it with a secondary blacklist to further limit the available system calls:
SystemCallErrorNumber=EPERM option also makes it much easier to debug filter issues as processes no longer crash on invalid access and thus logs are usually better.
For more details, read the corresponding entry in the systemd.exec man page.
This option provides a functionality similar to TCP Wrappers with two options:
IPAddressAllow. Restricting a service to localhost is now as simple as :
And restricting a service to the local network:
For more details, read the corresponding entry in the systemd.resource-control man page.
Those options will create directories with specified permissions and user:group ownership. This makes it really easy to duplicate services (using templates for example) and have all directories creation handled automatically: