Project

General

Profile

systemd hardened unit file

Added by Martin Bednar over 8 years ago

In my spree to tighten down rights of long running daemons on my system, I came up with the following systemd unit file :

[Unit]
Description=tvheadend
After=network.target

[Service]
User=tvheadend
Group=video
Type=simple
PIDFile=/run/tvheadend/tvheadend.pid
ExecStart=/usr/bin/tvheadend -p /run/tvheadend/tvheadend.pid -C -c /etc/tvheadend
ExecStop=/bin/kill -QUIT $MAINPID
Restart=always
RestartSec=5

# Hardening
PrivateTmp=yes
DeviceAllow=char-DVB
DevicePolicy=closed
ReadWriteDirectories=/mnt/local/record /etc/tvheadend
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target

What this does, is prevent tvheadend from accessing other device nodes than those related to DVB, doesn't allow it to write (almost) anywhere in the system except its config and a folder for recordings. tvheadend also doesn't start as root anymore.

This is tested with current tvheadend git, systemd-229 and linux-4.5, and only dvb.

If you try it, and find issues, please share!

Serafean.

Bonus tip :
If you want tvheadend to bind to ports < 1024, add

CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
to the service section (untested).


Replies (1)

RE: systemd hardened unit file - Added by Martin Bednar almost 8 years ago

Update :
Added more lockdown options.
Allowed access to DRM devices (should enable hw acclerated transcoding)

[Unit]
Description=tvheadend
After=network.target

[Service]
User=tvheadend
Group=video
Type=simple
PIDFile=/run/tvheadend/tvheadend.pid
ExecStart=/usr/bin/tvheadend -6 -p /run/tvheadend/tvheadend.pid -C -c /etc/tvheadend
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/bin/kill -QUIT $MAINPID
Restart=always
RestartSec=5

# Hardening
PrivateTmp=yes
ProtectKernelTunables = yes
ProtectControlGroups = yes
ProtectKernelModules = yes
DeviceAllow=char-DVB rw
DeviceAllow=char-drm rw
DevicePolicy=closed
ReadWriteDirectories=/etc/tvheadend
RuntimeDirectory=tvheadend
ProtectSystem=strict
ProtectHome=yes
NoNewPrivileges=yes

[Install]
WantedBy=multi-user.target

you will need to add your recordings directory to ReadWriteDirectories entry.
Tested using systemd 232 and linux 4.8.12.
hw encoding doesn't work on my system, so any feedback on that would be welcome.

    (1-1/1)