Improve security of rest-server.service by restricting network access

This patch improves the overall security assessment score given by `systemd-analyze security rest-server.service` from "1.3 OK" to "0.6 SAFE" (when using systemd-analyze version 253) * Remove `AF_INET AF_INET6` from RestrictAddressFamilies. Sockets originating from socket activation are not affected by the systemd directive RestrictAddressFamilies. See systemd.exec man page. * Add `PrivateNetwork=yes` as recommended for socket-activated services in the systemd.socket man page * Add dependency on rest-server.socket Signed-off-by: Erik Sjölund <erik.sjolund@gmail.com>
2025-10-19 15:43:21 +00:00 · 2023-07-13 18:28:33 +02:00 · 2023-07-13 18:28:33 +02:00 · ec2ce8cd27
commit ec2ce8cd27
parent c38e18b708
1 changed files with 8 additions and 4 deletions
--- a/examples/systemd/rest-server.service
+++ b/examples/systemd/rest-server.service
@ -2,9 +2,8 @@
 Description=Rest Server
 After=syslog.target
 After=network.target
-
-# if you want to use socket activation, make sure to require the socket here
-#Requires=rest-server.socket
+Requires=rest-server.socket
+After=rest-server.socket

 [Service]
 Type=simple
@ -37,6 +36,11 @@ CapabilityBoundingSet=
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=yes
+
+# As the listen socket is created by systemd via the rest-server.socket unit, it is
+# no longer necessary for rest-server to have access to the host network namespace.
+PrivateNetwork=yes
+
 PrivateTmp=yes
 PrivateDevices=true
 PrivateUsers=true
@ -51,7 +55,7 @@ ProtectProc=invisible
 ProtectHostname=true
 RemoveIPC=true
 RestrictNamespaces=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=none
 RestrictSUIDSGID=true
 RestrictRealtime=true
 # if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host