diff --git a/Cargo.lock b/Cargo.lock index 303cd8462..5b3bff811 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1092,6 +1092,7 @@ dependencies = [ "kanidmd_core", "opentelemetry", "opentelemetry_api", + "prctl", "reqwest", "sd-notify", "serde", @@ -3113,6 +3114,7 @@ dependencies = [ "libsqlite3-sys", "lru 0.8.1", "notify-debouncer-full", + "prctl", "rpassword 7.3.1", "rusqlite", "selinux", @@ -3718,6 +3720,17 @@ dependencies = [ "tempfile", ] +[[package]] +name = "nix" +version = "0.27.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "2eb04e9c688eff1c89d72b407f168cf79bb9e867a9d3323ed6c01519eb9cc053" +dependencies = [ + "bitflags 2.4.2", + "cfg-if", + "libc", +] + [[package]] name = "nom" version = "7.1.3" @@ -4487,6 +4500,16 @@ version = "0.2.17" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de" +[[package]] +name = "prctl" +version = "1.0.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "059a34f111a9dee2ce1ac2826a68b24601c4298cfeb1a587c3cb493d5ab46f52" +dependencies = [ + "libc", + "nix", +] + [[package]] name = "predicates" version = "3.1.0" diff --git a/Cargo.toml b/Cargo.toml index 3fa41a6b8..5908fa708 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -184,6 +184,7 @@ tracing-opentelemetry = "0.21.0" paste = "^1.0.14" pkg-config = "^0.3.27" +prctl = "1.0.0" proc-macro2 = "1.0.69" qrcode = "^0.12.0" quote = "1" diff --git a/platform/opensuse/kanidmd.service b/platform/opensuse/kanidmd.service index 969d02baa..9ff4a01c8 100644 --- a/platform/opensuse/kanidmd.service +++ b/platform/opensuse/kanidmd.service @@ -21,6 +21,11 @@ ExecStart=/usr/sbin/kanidmd server -c /etc/kanidm/server.toml AmbientCapabilities=CAP_NET_BIND_SERVICE CapabilityBoundingSet=CAP_NET_BIND_SERVICE +# If OOM occurs, request a clean stop +OOMPolicy=stop +# Adjust our weight toward *not* being killed under pressure. +OOMScoreAdjust=-100 + NoNewPrivileges=true PrivateTmp=true PrivateDevices=true diff --git a/server/daemon/Cargo.toml b/server/daemon/Cargo.toml index fb3ed6a12..02193dc09 100644 --- a/server/daemon/Cargo.toml +++ b/server/daemon/Cargo.toml @@ -43,6 +43,7 @@ serde_json.workspace = true [target.'cfg(target_os = "linux")'.dependencies] sd-notify.workspace = true +prctl.workspace = true [target.'cfg(target_family = "windows")'.dependencies] whoami = { workspace = true } diff --git a/server/daemon/src/main.rs b/server/daemon/src/main.rs index d2523896b..9d189b9e6 100644 --- a/server/daemon/src/main.rs +++ b/server/daemon/src/main.rs @@ -226,6 +226,11 @@ async fn submit_admin_req(path: &str, req: AdminTaskRequest, output_mode: Consol } fn main() -> ExitCode { + // On linux when debug assertions are disabled, prevent ptrace + // from attaching to us. + #[cfg(all(target_os = "linux", not(debug_assertions)))] + prctl::set_dumpable(false); + let maybe_rt = tokio::runtime::Builder::new_multi_thread() .enable_all() .thread_name("kanidmd-thread-pool") diff --git a/unix_integration/Cargo.toml b/unix_integration/Cargo.toml index d208b9f4d..2c64c5c1f 100644 --- a/unix_integration/Cargo.toml +++ b/unix_integration/Cargo.toml @@ -93,6 +93,9 @@ walkdir = { workspace = true } [target.'cfg(not(target_family = "windows"))'.dependencies] kanidm_utils_users = { workspace = true } +[target.'cfg(target_os = "linux")'.dependencies] +prctl.workspace = true + [dev-dependencies] kanidmd_core = { workspace = true } kanidmd_testkit = { workspace = true } diff --git a/unix_integration/src/daemon.rs b/unix_integration/src/daemon.rs index f54ea10ab..e72c6457b 100644 --- a/unix_integration/src/daemon.rs +++ b/unix_integration/src/daemon.rs @@ -469,6 +469,11 @@ async fn write_hsm_pin(hsm_pin_path: &str) -> Result<(), Box> { #[tokio::main(flavor = "current_thread")] async fn main() -> ExitCode { + // On linux when debug assertions are disabled, prevent ptrace + // from attaching to us. + #[cfg(all(target_os = "linux", not(debug_assertions)))] + prctl::set_dumpable(false); + let cuid = get_current_uid(); let ceuid = get_effective_uid(); let cgid = get_current_gid(); diff --git a/unix_integration/src/tasks_daemon.rs b/unix_integration/src/tasks_daemon.rs index 3a67a2178..b9ecb7e73 100644 --- a/unix_integration/src/tasks_daemon.rs +++ b/unix_integration/src/tasks_daemon.rs @@ -261,6 +261,11 @@ async fn handle_tasks(stream: UnixStream, cfg: &KanidmUnixdConfig) { #[tokio::main(flavor = "current_thread")] async fn main() -> ExitCode { + // On linux when debug assertions are disabled, prevent ptrace + // from attaching to us. + #[cfg(all(target_os = "linux", not(debug_assertions)))] + prctl::set_dumpable(false); + // let cuid = get_current_uid(); // let cgid = get_current_gid(); // We only need to check effective id