[Unit] Description=NGCP Panel Webapp After=network.target After=mariadb.service Requires=network.target Wants=mariadb.service [Service] Type=notify Environment="HOME=/usr/share/ngcp-panel" Environment="NPROC=1" User=www-data Group=www-data RuntimeDirectory=fastcgi RuntimeDirectoryPreserve=yes PIDFile=/run/fastcgi/ngcp-panel.pid ExecStart=/usr/share/ngcp-panel/ngcp_panel_fastcgi.pl --listen /run/fastcgi/ngcp-panel.sock --pidfile /run/fastcgi/ngcp-panel.pid --nproc $NPROC # Service cannot create writable executable memory mappings that are writable and executable at the same time MemoryDenyWriteExecute=true # Files + directories not directly associated are made invisible in the /proc/ file system ProcSubset=pid # Writes to the hardware clock or system clock will be denied ProtectClock=true # Service cannot modify the control group file system (via /sys/fs/cgroup) ProtectControlGroups=true # Service has no access to home directories ProtectHome=true # Set up new UTS namespace for the executed processes + changing hostname or domainname is prevented ProtectHostname=true # Service cannot load or read kernel modules ProtectKernelModules=true # Service cannot alter kernel tunables (/proc + /sys) ProtectKernelTunables=true # Service has strict read-only access to the OS file hierarchy ProtectSystem=strict # Access to the kernel log ring buffer will be denied ProtectKernelLogs=true # Processes owned by other users are hidden from /proc/ ProtectProc=invisible # Service may execute system calls only with native ABI SystemCallArchitectures=native # Limit set of capabilities CapabilityBoundingSet= # Service process does not receive ambient capabilities AmbientCapabilities= # Service has no access to other software's temporary files PrivateTmp=true # Service has no access to hardware devices PrivateDevices=true # Limit write access # NOTE: we need r/w access to ngcp-panel/Catalyst tmp folder ReadWritePaths=/ngcp-data/tmp/www-data/ # NOTE: we need r/w access to /ngcp-data/spool/faxserver for sending fax ReadWritePaths=-/ngcp-data/spool/faxserver # Service cannot change ABI personality LockPersonality=true # Turn off acquisition of new privileges system-wide NoNewPrivileges=true # Service has own user namespace, only root, nobody, and the uid/gid under which the service is running are mapped # NOTE: we can't have our own user namespace, as we need proper permissions e.g. to /ngcp-data/spool/faxserver PrivateUsers=false # Service user cannot leave SysV IPC objects around # NOTE: service runs as root, so option does not matter RemoveIPC=true # Restrict service to allocation of local, ipv4 + ipv6 sockets RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 # Restrict access to the various process namespace types the Linux kernel provides RestrictNamespaces=true # Service may not acquire realtime scheduling RestrictRealtime=true # Attempts to set SUID or SGID bits on files or directories will be denied RestrictSUIDSGID=true # Files created by service are accessible only by service's own user by default UMask=0077 # NOTE: Service needs access to the host's network PrivateNetwork=false # Control access to specific device nodes by the executed processes DevicePolicy=closed # NOTE: we need network access to e.g. redis server IPAddressAllow=any # Maximum number of bytes of memory that may be locked into RAM LimitMEMLOCK=0 # Restrict system calls that are allowed to be executed # NOTE: @system-service => reasonable set of system calls used by common system services SystemCallFilter=@system-service # NOTE: return with ENOSYS instead of terminating the process immediately SystemCallErrorNumber=ENOSYS # All system calls except the listed ones will be logged SystemCallLog=~@system-service seccomp [Install] WantedBy=multi-user.target