scottk/firezone
1
0
Fork 0
mirror of https://github.com/outbackdingo/firezone.git synced 2026-03-21 23:41:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
da85408e27fcbbf3dc147f2cf929d8fd6e08efdd
firezone/scripts/tests/systemd/firezone-client-headless.service
Reactor Scram bc940784bd refactor(linux-client): remove FIREZONE_ID from example systemd file (#4714) 
For tests it doesn't hurt, but this will be used as a template for the
systemd service we ship to production, and that can't have the ID there.

So I'm also cleaning up a few other problems I noticed:
- I wanted to split the service files as part of #4531, so that the GUI
Client and headless Client can have separate sandbox rules. e.g, the
headless Client won't be allowed to create Unix domain sockets
- I'm punting more things to systemd, which allows us to tighten down
the sandbox further, e.g. creating `/var/lib/dev.firezone.client` and
`/run/dev.firezone.client` for us
- Closes #4461

---------

Signed-off-by: Reactor Scram <ReactorScram@users.noreply.github.com>
2024-04-25 23:08:06 +00:00

48 lines
1.2 KiB
Desktop File
Raw Blame History

[Unit]
Description=Firezone Client
[Service]
AmbientCapabilities=CAP_NET_ADMIN
CapabilityBoundingSet=CAP_NET_ADMIN
DeviceAllow=/dev/net/tun
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateMounts=true
PrivateTmp=true
# We need to be real root, not just root in our cgroup
PrivateUsers=false
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
# Docs say it's useless when running as root, but defense-in-depth
ProtectProc=invisible
ProtectSystem=strict
# Netlink needed for the tunnel interface, Unix needed for `systemd-resolved`
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
StateDirectory=dev.firezone.client
SystemCallArchitectures=native
# TODO: Minimize
SystemCallFilter=@aio @basic-io @file-system @io-event @network-io @signal @system-service
UMask=077
Environment="FIREZONE_API_URL=ws://localhost:8081"
Environment="FIREZONE_DNS_CONTROL=systemd-resolved"
Environment="RUST_LOG=info"
ExecStart=firezone-linux-client standalone
Type=notify
# Unfortunately we may need root to control DNS
User=root
[Install]
WantedBy=default.target
Reference in New Issue View Git Blame Copy Permalink