From 84abbd13d761f066495859573ae74716e5534a1e Mon Sep 17 00:00:00 2001 From: Aquila Macedo Date: Wed, 11 Mar 2026 20:13:48 -0300 Subject: [PATCH] systemd: Add low risk hardening to unit templates Harden mariadb.service and mariadb@.service with low regression systemd sandboxing defaults (kernel/cgroup protections, restrict namespaces, disable realtime, lock personality, overrideable via drop-in). Avoid historically problematic knobs (NoNewPrivileges, capability bounding, PrivateDevices). Refs: MDEV-10404, MDEV-19878, MDEV-36591, MDEV-36681 --- support-files/mariadb.service.in | 21 +++++++++++++++++++++ support-files/mariadb@.service.in | 21 +++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index 16c905cdd6252..9ef25c3ae6f95 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -59,6 +59,27 @@ ProtectSystem=full # Doesn't yet work properly with SELinux enabled # NoNewPrivileges=true +# Restrict modifications of kernel interfaces from the MariaDB service context. +# +# Note: ProtectKernelTunables makes /proc and /sys read-only, but it does not +# necessarily remount separate sub-mounts under /sys/fs (for example cgroupfs +# at /sys/fs/cgroup and selinuxfs at /sys/fs/selinux), so writes there may +# still be allowed. +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +# +# Prevent creating real-time scheduling policies. +RestrictRealtime=true +# +# Prevent changing process personality(2) +LockPersonality=true +# +# Restrict use of Linux namespaces by the daemon and its children, MariaDB +# server core does not require namespace creation in typical operation +# (override via drop-in if needed). +RestrictNamespaces=true + # Prevent accessing /home, /root and /run/user ProtectHome=true diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index 3fd37c38862cb..8839c0b113419 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -190,6 +190,27 @@ ProtectSystem=full # (https://github.com/systemd/systemd/issues/3845) # NoNewPrivileges=true +# Restrict modifications of kernel interfaces from the MariaDB service context. +# +# Note: ProtectKernelTunables makes /proc and /sys read-only, but it does not +# necessarily remount separate sub-mounts under /sys/fs (for example cgroupfs +# at /sys/fs/cgroup and selinuxfs at /sys/fs/selinux), so writes there may +# still be allowed. +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true +# +# Prevent creating real-time scheduling policies. +RestrictRealtime=true +# +# Prevent changing process personality(2) +LockPersonality=true +# +# Restrict use of Linux namespaces by the daemon and its children, MariaDB +# server core does not require namespace creation in typical operation +# (override via drop-in if needed). +RestrictNamespaces=true + # Prevent accessing /home, /root and /run/user ProtectHome=true