steve
047c1d1912
Allow-list filter @system-service excludes some syscalls Go's runtime + restic's file scanner reach for; init job died immediately with "bad system call (core dumped)". CapabilityBounding already constrains what root can do; the Protect*/Restrict* toggles still cover network / kernel / mount / namespace. Net effect on the threat model is negligible vs the operational cost. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
64 lines
2.4 KiB
Desktop File
64 lines
2.4 KiB
Desktop File
[Unit]
|
|
Description=restic-manager agent
|
|
Documentation=https://gitea.dcglab.co.uk/steve/restic-manager
|
|
After=network-online.target
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStart=/usr/local/bin/restic-manager-agent -config /etc/restic-manager/agent.yaml
|
|
Restart=always
|
|
RestartSec=5
|
|
|
|
# The agent runs as root. A fleet-backup tool needs to read every
|
|
# file on the system regardless of DAC permissions; running as a
|
|
# dedicated unprivileged user means either silent skips on /home,
|
|
# /root, /var/lib/<other-daemons>, or operators having to add the
|
|
# service user to every group whose files they want backed up. Both
|
|
# are worse than the threat model already implies (the agent holds
|
|
# repo credentials, executes arbitrary restic, and runs operator-
|
|
# defined hooks — its blast radius is already large).
|
|
#
|
|
# The mitigation is aggressive systemd sandboxing of the root
|
|
# process: drop all capabilities except the few we need, deny
|
|
# writes outside our state dirs, and forbid privilege escalation.
|
|
User=root
|
|
Group=root
|
|
|
|
# CAP_DAC_READ_SEARCH lets us read any file regardless of DAC perms
|
|
# (the "backup everything" capability). CAP_DAC_OVERRIDE is needed
|
|
# during restore for chown/chmod to recreate ownership. Drop the
|
|
# rest — root in this process means "can read", not "can do".
|
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN
|
|
AmbientCapabilities=CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER CAP_CHOWN
|
|
|
|
# Hardening — blocks privilege escalation even from root, and
|
|
# confines writes / network / kernel access to what restic actually
|
|
# needs. Filesystem reads stay open: that's the whole job.
|
|
NoNewPrivileges=true
|
|
ProtectSystem=strict
|
|
ReadWritePaths=/etc/restic-manager /var/lib/restic-manager
|
|
ProtectHome=read-only
|
|
ProtectHostname=true
|
|
ProtectKernelTunables=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelLogs=true
|
|
ProtectControlGroups=true
|
|
ProtectClock=true
|
|
PrivateTmp=true
|
|
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
RestrictNamespaces=true
|
|
LockPersonality=true
|
|
MemoryDenyWriteExecute=true
|
|
SystemCallArchitectures=native
|
|
# (No SystemCallFilter — the cap drop above already constrains what
|
|
# root can do; an allow-list filter killed restic with SIGSYS during
|
|
# init because @system-service excludes some of the syscalls Go's
|
|
# runtime + restic's file scanner reach for. The Protect*/Restrict*
|
|
# toggles still cover network / kernel / mount / namespace.)
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|