Add further hardening for system services (#2542)

Cargo.lock

@@ -1092,6 +1092,7 @@ dependencies = [
  "kanidmd_core",
  "opentelemetry",
  "opentelemetry_api",
+ "prctl",
  "reqwest",
  "sd-notify",
  "serde",
@@ -3113,6 +3114,7 @@ dependencies = [
  "libsqlite3-sys",
  "lru 0.8.1",
  "notify-debouncer-full",
+ "prctl",
  "rpassword 7.3.1",
  "rusqlite",
  "selinux",
@@ -3718,6 +3720,17 @@ dependencies = [
  "tempfile",
 ]
 
+[[package]]
+name = "nix"
+version = "0.27.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053"
+dependencies = [
+ "bitflags 2.4.2",
+ "cfg-if",
+ "libc",
+]
+
 [[package]]
 name = "nom"
 version = "7.1.3"
@@ -4487,6 +4500,16 @@ version = "0.2.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
 
+[[package]]
+name = "prctl"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52"
+dependencies = [
+ "libc",
+ "nix",
+]
+
 [[package]]
 name = "predicates"
 version = "3.1.0"

Cargo.toml

@@ -184,6 +184,7 @@ tracing-opentelemetry = "0.21.0"
 
 paste = "^1.0.14"
 pkg-config = "^0.3.27"
+prctl = "1.0.0"
 proc-macro2 = "1.0.69"
 qrcode = "^0.12.0"
 quote = "1"

platform/opensuse/kanidmd.service

@@ -21,6 +21,11 @@ ExecStart=/usr/sbin/kanidmd server -c /etc/kanidm/server.toml
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 
+# If OOM occurs, request a clean stop
+OOMPolicy=stop
+# Adjust our weight toward *not* being killed under pressure.
+OOMScoreAdjust=-100
+
 NoNewPrivileges=true
 PrivateTmp=true
 PrivateDevices=true

server/daemon/Cargo.toml

@@ -43,6 +43,7 @@ serde_json.workspace = true
 
 [target.'cfg(target_os = "linux")'.dependencies]
 sd-notify.workspace = true
+prctl.workspace = true
 
 [target.'cfg(target_family = "windows")'.dependencies]
 whoami = { workspace = true }

server/daemon/src/main.rs

@@ -226,6 +226,11 @@ async fn submit_admin_req(path: &str, req: AdminTaskRequest, output_mode: Consol
 }
 
 fn main() -> ExitCode {
+    // On linux when debug assertions are disabled, prevent ptrace
+    // from attaching to us.
+    #[cfg(all(target_os = "linux", not(debug_assertions)))]
+    prctl::set_dumpable(false);
+
     let maybe_rt = tokio::runtime::Builder::new_multi_thread()
         .enable_all()
         .thread_name("kanidmd-thread-pool")

unix_integration/Cargo.toml

@@ -93,6 +93,9 @@ walkdir = { workspace = true }
 [target.'cfg(not(target_family = "windows"))'.dependencies]
 kanidm_utils_users = { workspace = true }
 
+[target.'cfg(target_os = "linux")'.dependencies]
+prctl.workspace = true
+
 [dev-dependencies]
 kanidmd_core = { workspace = true }
 kanidmd_testkit = { workspace = true }

unix_integration/src/daemon.rs

@@ -469,6 +469,11 @@ async fn write_hsm_pin(hsm_pin_path: &str) -> Result<(), Box<dyn Error>> {
 
 #[tokio::main(flavor = "current_thread")]
 async fn main() -> ExitCode {
+    // On linux when debug assertions are disabled, prevent ptrace
+    // from attaching to us.
+    #[cfg(all(target_os = "linux", not(debug_assertions)))]
+    prctl::set_dumpable(false);
+
     let cuid = get_current_uid();
     let ceuid = get_effective_uid();
     let cgid = get_current_gid();

unix_integration/src/tasks_daemon.rs

@@ -261,6 +261,11 @@ async fn handle_tasks(stream: UnixStream, cfg: &KanidmUnixdConfig) {
 
 #[tokio::main(flavor = "current_thread")]
 async fn main() -> ExitCode {
+    // On linux when debug assertions are disabled, prevent ptrace
+    // from attaching to us.
+    #[cfg(all(target_os = "linux", not(debug_assertions)))]
+    prctl::set_dumpable(false);
+
     // let cuid = get_current_uid();
     // let cgid = get_current_gid();
     // We only need to check effective id