Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support system services correctly #148

Open
Thaodan opened this issue Dec 21, 2022 · 0 comments
Open

Support system services correctly #148

Thaodan opened this issue Dec 21, 2022 · 0 comments

Comments

@Thaodan
Copy link

Thaodan commented Dec 21, 2022

Description

Hey, I create a new bug for this to track the process on this a little easier since the other bug contain quite much of a mess.

First off all I got pantalaimon as system service service working.

I plan to pick this up later so I want to track my changes here and discuss any further steps.

My changes:

  • In pantalaimon and panctl import SystemBus() instead of SessionBus()
  • Provide dbus config to configure how can touch the service and how can spawn under the name.

dbus busconfig:

<!DOCTYPE busconfig PUBLIC
          "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
          "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>

  <!-- Only root or user avahi can own the Pantalaimon service -->
  <policy user="pantalaimon">
    <allow own="org.pantalaimon1"/>
  </policy>
  <policy user="root">
    <allow own="org.pantalaimon1"/>
  </policy>

    <allow send_destination="org.pantalaimon1"/>
    <allow receive_sender="org.pantalaimon1"/>
  </policy>
  <policy user="root">
    <allow send_destination="org.pantalaimon1"/>
    <allow receive_sender="org.pantalaimon1"/>
  </policy>
</busconfig>

systemd system service

I created this service to reduce the permissions that the system service has:

# /usr/lib/systemd/system/pantalaimon.service
[Unit]
Description=Pantalaimon E2E Matrix reverse proxy
Requires=dbus.socket

[Service]
ExecStart=/usr/bin/pantalaimon -c /etc/pantalaimon.conf
Type=simple
User=pantalaimon
Group=pantalaimon
DynamicUser=true
DynamicUser=true
SyslogIdentifier=pantalaimon
StateDirectory=pantalaimon
RuntimeDirectory=pantalaimon
Environment=LC_ALL=en_US.UTF-8
Environment=HOME=/var/lib/pantalaimon
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
Restart=always
RestartSec=10
CapabilityBoundingSet=
AmbientCapabilities=
NoNewPrivileges=true
#SecureBits=
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
PrivateDevices=true
PrivateNetwork=false
PrivateUsers=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=true
LockPersonality=true
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallFilter=@system-service
SystemCallArchitectures=native


[Install]
WantedBy=multi-user.target

What is left

The issue is now how to determine how pantalaimon should decide on which bus it spawns.

  • An option would be to provide switches for either mode for the daemon and panctl
  • let panctl see if it connect first to the user or system session with the dbus service
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Thaodan