Page MenuHomePhabricator

Add confinement around Blazegraph
Closed, ResolvedPublic

Description

From T90115

I don't have any concerns/objections about setting this up, I mostly wanted to know the status of the various countermeasures mentioned in this task.

What kind of measures do you propose?

systemd supports various features to restrict running processes, e.g. for restricting filesystem access or through disallowing potentially harmful syscalls using seccomp-bpf. This doesn't need to be present in the initial deployment, but it would be good to add in a followup step.

Event Timeline

csteipp created this task.Aug 8 2015, 12:00 AM
csteipp raised the priority of this task from to Needs Triage.
csteipp updated the task description. (Show Details)
csteipp added a subscriber: csteipp.
Restricted Application added projects: Wikidata, Discovery. · View Herald TranscriptAug 8 2015, 12:00 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
Lydia_Pintscher moved this task from incoming to monitoring on the Wikidata board.Aug 11 2015, 2:21 PM
Smalyshev triaged this task as Medium priority.Sep 12 2016, 10:44 PM

This seems to be dormant for a long time. @csteipp, do you have any specific advice as to what should be done here? Or given the fact it's running on their own servers it may be unnecessary? Would like to hear some advice on this.

Smalyshev closed this task as Resolved.Jan 3 2019, 1:28 AM
Smalyshev claimed this task.

We have this config in systemd right now:

PrivateDevices=yes
ProtectSystem=full
ProtectHome=yes
NoNewPrivileges=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

ReadOnlyDirectories=/
# data storage
ReadWriteDirectories=/srv/wdqs
# logs
ReadWriteDirectories=/var/log/wdqs
# already protected by PrivateTmp
ReadWriteDirectories=/tmp /var/tmp

I think this can be closed. If there's more needed, please reopen and describe what is missing.