r/restic: Enhance restic-backup security sandbox
Since `restic` needs to run as root in order to back up files regardless of their permissions, we need to restrict it to doing only that. Using systemd sandbox features, especially the capability bounding set, we can remove all of _root_'s powers except the ability to read all files.frigate-exporter
parent
c2c283c431
commit
7d93ba836e
|
|
@ -10,3 +10,22 @@ Environment=RESTIC_PASSWORD_FILE=%d/restic.password
|
||||||
Environment=XDG_CACHE_HOME=%C
|
Environment=XDG_CACHE_HOME=%C
|
||||||
EnvironmentFile=-%E/restic/environment
|
EnvironmentFile=-%E/restic/environment
|
||||||
ExecStart=/usr/bin/restic backup --files-from %E/restic/include --exclude-file %E/restic/exclude --exclude-if-present .nobackup
|
ExecStart=/usr/bin/restic backup --files-from %E/restic/include --exclude-file %E/restic/exclude --exclude-if-present .nobackup
|
||||||
|
CacheDirectory=restic
|
||||||
|
CapabilityBoundingSet=CAP_DAC_READ_SEARCH
|
||||||
|
MemoryDenyWriteExecute=yes
|
||||||
|
PrivateDevices=yes
|
||||||
|
PrivateTmp=yes
|
||||||
|
ProtectClock=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectHome=read-only
|
||||||
|
ProtectKernelLogs=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectProc=invisible
|
||||||
|
ProtectSystem=strict
|
||||||
|
ReadWritePaths=%t
|
||||||
|
ReadWritePaths=%T
|
||||||
|
ReadWritePaths=%V
|
||||||
|
RestrictRealtime=yes
|
||||||
|
RestrictSUIDSGID=yes
|
||||||
|
UMask=0077
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue