Decided to put together a reasonably hardened systemd service configuration for AttestationServer while keeping it portable across different Linux distributions.
The number of options that need to be configured due to it all being default allow is nuts:
Conversation
Since we run this in a dedicated virtual machine, it doesn't accomplish much for us. The only valuable data is the attestation database which it inherently needs to read/write.
I mostly wanted to see how they were exposing the kernel functionality. It's honestly quite a mess.
1
2
They came up with a lot of their own ways of doing it instead of simply exposing the low-level functionality. It's very clear that a lot of this wasn't carefully designed in advance. I'm really not a fan of the odd semantics they have for their features based on mount namespaces.
2
4
It's better than I remember it being, at least.
The relatively reasonable groups of system calls are fairly nice along with the ability to combine allow lists with deny lists. Don't want to do that by hand because it's too hard to keep it portable, and we aren't mandating an OS.
Replying to
They have an amusing `systemd-analyze security [unit]` tool for patting you on the back if you use a lot of these features.
Not sure why it considers RemoveIPC a security feature rather than encouraging removing the system calls or offering IPC namespaces, but other than that...
3