Skip to content

Commit

Permalink
Allow control socket, PID and log file for Tinc 1.1 in systemd unit
Browse files Browse the repository at this point in the history 
In order to isolate the unit as much as possible, but not lose the functionality to write files, the files are now written to extra directories.
Due to the security restrictions, Tinc has lost the ability to write to the `/var/log` and `/var/run` directories. One possibility would be to allow this explicitly, but then Tinc could also access files from other programs. Therefore, an extra directory `/var/log/tinc/` and `/var/run/tinc` is created for Tinc, into which Tinc can then write.
The automatic creation of the directories is achieved with the directives `RuntimeDirectory` and `LogsDirectory`. Allowing access to them via `ReadWritePaths`. To create platform compatibility, placeholders such as `%L` for the log directory, `%t` for the runstate directory and `%E` for the configuration file directory are used instead of the absolute directory names.

Signed-off-by: Marek Küthe <[email protected]>
  • Loading branch information
@marek22k
marek22k committed Feb 3, 2024
1 parent 54e7bdf commit 3d70016
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 4 deletions.
2 changes: 1 addition & 1 deletion systemd/tinc.service.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ Type=oneshot
RemainAfterExit=yes
ExecStart=/bin/true
ExecReload=/bin/true
WorkingDirectory=@sysconfdir@/tinc
WorkingDirectory=%E/tinc

[Install]
WantedBy=multi-user.target
9 changes: 6 additions & 3 deletions systemd/[email protected]
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,15 @@ ReloadPropagatedFrom=tinc.service
[Service]
RemoveIPC=true
NoNewPrivileges=true
ReadWritePaths=%L/tinc/ %t/tinc/
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
SystemCallArchitectures=native
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete @privileged @raw-io @reboot @resources @swap
MemoryDenyWriteExecute=true
RestrictSUIDSGID=true
LockPersonality=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictRealtime=true
RestrictNamespaces=true
ProtectSystem=strict
Expand All @@ -35,8 +36,10 @@ DeviceAllow=/dev/net/tun rwm
DeviceAllow=/dev/net/tap rwm

Type=notify
WorkingDirectory=@sysconfdir@/tinc/%i
ExecStart=@sbindir@/tincd -n %i -D
WorkingDirectory=%E/tinc/%i
RuntimeDirectory=tinc
LogsDirectory=tinc
ExecStart=@sbindir@/tincd -n %i --pidfile=%t/tinc/%i.pid --logfile=%L/tinc/%i.log -D
ExecReload=@sbindir@/tinc -n %i reload
KillMode=mixed
Restart=on-failure
Expand Down

0 comments on commit 3d70016

Please sign in to comment.