From 9e8d14bd5da87d2592b3da0d702e52948aec6674 Mon Sep 17 00:00:00 2001 From: root Date: Fri, 15 May 2026 18:19:17 +0000 Subject: [PATCH] =?UTF-8?q?systemd:=20hardening=20=E2=80=94=20ProtectSyste?= =?UTF-8?q?m=3Dstrict,=20ReadOnlyPaths=20for=20/raweb=20+=20/srv=20+=20let?= =?UTF-8?q?sencrypt,=20ReadWritePaths=20for=20/run=20+=20logs;=20explicitl?= =?UTF-8?q?y=20skip=20MemoryDenyWriteExecute=20+=20~@resources=20(known=20?= =?UTF-8?q?to=20break=20LuaJIT/setrlimit)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- static/Raccoon/nginx.service | 31 +++++++++++++++++++++++++++++++ static/Trixie/nginx.service | 31 +++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+) diff --git a/static/Raccoon/nginx.service b/static/Raccoon/nginx.service index 7fc2ad6..a10120f 100644 --- a/static/Raccoon/nginx.service +++ b/static/Raccoon/nginx.service @@ -15,5 +15,36 @@ ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)" TimeoutStartSec=10 LimitNOFILE=65535 +# === hardening (compatible with LuaJIT + nginx workers + raweb agent) === +NoNewPrivileges=true +ProtectSystem=strict +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectClock=true +ProtectHostname=true +PrivateDevices=true +PrivateTmp=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +LockPersonality=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +# ProtectSystem=strict makes the entire filesystem read-only EXCEPT these. +# /run covers nginx.pid, nginx.lock, and the temp/ subdir (all tmpfs). +ReadWritePaths=/run /var/log/nginx /nginx /hostdata +# Read-only paths nginx legitimately accesses. ProtectSystem=strict already +# allows reads everywhere by default — these are documented for the operator's +# benefit (and so they survive future hardening tightening). +ReadOnlyPaths=/raweb /srv /etc/letsencrypt +# NOTE deliberately OFF: +# MemoryDenyWriteExecute=true breaks LuaJIT (JIT writable+executable pages) +# SystemCallFilter=~@resources breaks nginx workers' prlimit64() + [Install] WantedBy=multi-user.target diff --git a/static/Trixie/nginx.service b/static/Trixie/nginx.service index 7fc2ad6..a10120f 100644 --- a/static/Trixie/nginx.service +++ b/static/Trixie/nginx.service @@ -15,5 +15,36 @@ ExecStop=/bin/sh -c "/bin/kill -s QUIT $(/bin/cat /run/nginx.pid)" TimeoutStartSec=10 LimitNOFILE=65535 +# === hardening (compatible with LuaJIT + nginx workers + raweb agent) === +NoNewPrivileges=true +ProtectSystem=strict +ProtectHome=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectClock=true +ProtectHostname=true +PrivateDevices=true +PrivateTmp=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +LockPersonality=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallErrorNumber=EPERM +# ProtectSystem=strict makes the entire filesystem read-only EXCEPT these. +# /run covers nginx.pid, nginx.lock, and the temp/ subdir (all tmpfs). +ReadWritePaths=/run /var/log/nginx /nginx /hostdata +# Read-only paths nginx legitimately accesses. ProtectSystem=strict already +# allows reads everywhere by default — these are documented for the operator's +# benefit (and so they survive future hardening tightening). +ReadOnlyPaths=/raweb /srv /etc/letsencrypt +# NOTE deliberately OFF: +# MemoryDenyWriteExecute=true breaks LuaJIT (JIT writable+executable pages) +# SystemCallFilter=~@resources breaks nginx workers' prlimit64() + [Install] WantedBy=multi-user.target