| Message ID | 20210709101037.yjjcibln6s2ew7x7@gmail.com |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/2] paccache.service.in: Harden unit | expand |
Hello. These are basically just copy/pasted (with minor tweaks for Makefile) from my own override file running on two systems. Since I put in the work writing and testing these options/settings, I figured I’d share them and possibly have them upstreamed if deemed acceptable. [PATCH 1] tightens the unit down a good deal, which may be too much for some people’s systems. E.g., the ReadWritePaths path is the pacman.conf default, which is a fairly easy one to edit. If people run setups they use paccache.service with multiple pacman caches, they probably need to edit the .service file anyway, at with point they can also edit the ReadWritePaths to match their setup. [PATCH 2] basically just deprioritises that paccache process as much as possible. I split that out since it’s not hardening and it might not be something that would be wanted across all systems. Not sure what systems would have this be an important service that should not be as undisruptive as possible, but 🤷.
On 09/07/2021 11:19, Frederik “Freso” S. Olesen via pacman-contrib wrote:
> they probably need to edit the .service file anyway
Why? doesn't the service just call `paccache -r` which in turns reads
pacman.conf?
On Fri, Jul 09, 2021 at 11:32:18AM +0100, Morgan Adamiec via pacman-contrib wrote: > On 09/07/2021 11:19, Frederik “Freso” S. Olesen via pacman-contrib wrote: > > they probably need to edit the .service file anyway > > Why? doesn't the service just call `paccache -r` which in turns reads > pacman.conf? Yeah, you’re right. I forgot that CacheDir can take multiple directories. v2 of patch 1 changes `ProtectSystem=strict` to `ProtectSystem=full` which removes the need to specify ReadWritePaths. It can be demoted further to `ProtectSystem=yes` if people use /etc/… as one of the cache directories, or removed entirely if /usr/… or /boot/… or /efi/… are used cache paths. I guess /usr/local/… might be? /usr/local/ could be added in as a ReadWritePaths if we want to support that while still locking down /usr/ otherwise. (Patch 2/2 still applies frictionlessly on top of patch 1 v2, so I didn’t resend that.)
Pushed, thank you! On 7/9/21 6:10 AM, Frederik “Freso” S. Olesen via pacman-contrib wrote: > The unit will be run in the background and is not essential for systems > to operate, so giving it the lowest priority will help make it less > disruptive on its system. > > Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> > --- > src/paccache.service.in | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/src/paccache.service.in b/src/paccache.service.in > index 0f71f5f..79b1c91 100644 > --- a/src/paccache.service.in > +++ b/src/paccache.service.in > @@ -4,6 +4,13 @@ Description=Remove unused cached package files > [Service] > Type=oneshot > ExecStart=@bindir@/paccache -r > +# Lowering priority > +OOMScoreAdjust=1000 > +Nice=19 > +CPUSchedulingPolicy=idle > +CPUSchedulingPriority=1 > +IOSchedulingClass=idle > +IOSchedulingPriority=7 > # Sandboxing and other hardening > ProtectProc=invisible > ProcSubset=pid
diff --git a/src/paccache.service.in b/src/paccache.service.in index 0f71f5f..79b1c91 100644 --- a/src/paccache.service.in +++ b/src/paccache.service.in @@ -4,6 +4,13 @@ Description=Remove unused cached package files [Service] Type=oneshot ExecStart=@bindir@/paccache -r +# Lowering priority +OOMScoreAdjust=1000 +Nice=19 +CPUSchedulingPolicy=idle +CPUSchedulingPriority=1 +IOSchedulingClass=idle +IOSchedulingPriority=7 # Sandboxing and other hardening ProtectProc=invisible ProcSubset=pid
The unit will be run in the background and is not essential for systems to operate, so giving it the lowest priority will help make it less disruptive on its system. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> --- src/paccache.service.in | 7 +++++++ 1 file changed, 7 insertions(+)