From: Aquila Macedo Date: Fri, 16 Jan 2026 00:53:16 +0000 (-0500) Subject: Add safe hardening to mariadb.service units X-Git-Tag: archive/raspbian/1%11.8.6-5+rpi1^2~4 X-Git-Url: https://dgit.raspbian.org/%22http:/www.example.com/%22stanciumarius94%40gmail.com//%22mailto:i18n-csb%40linuxcsb.org/%22/%22http:/www.example.com/%22stanciumarius94%40gmail.com/%22mailto:i18n-csb%40linuxcsb.org/%22?a=commitdiff_plain;h=3e0156f0c69840fb9c94b767d51cfbc83ae1d43f;p=mariadb.git Add safe hardening to mariadb.service units Add low regression systemd hardening directives to mariadb.service and mariadb@.service to improve 'systemd-analyze security' without touching the historically-problematic areas (capability bounding / NoNewPrivileges / PrivateDevices). Refs: MDEV-10404, MDEV-19878, MDEV-36591, MDEV-36681 Includes kernel/cgroup protections, disables realtime scheduling, locks personality, and restricts namespace creation (overrideable via drop-in) This patch should be submitted upstream once proven stable in Debian. Forwarded: no Gbp-Pq: Name systemd-hardening-safe-defaults.patch --- diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index 16c905cdd..85360e41b 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -59,6 +59,27 @@ ProtectSystem=full # Doesn't yet work properly with SELinux enabled # NoNewPrivileges=true +# Restrict modifications of kernel interfaces from the MariaDB service context. + +# Note: ProtectKernelTunables makes /proc and /sys read-only, but it does not +# necessarily remount separate sub-mounts under /sys/fs (for example cgroupfs +# at /sys/fs/cgroup and selinuxfs at /sys/fs/selinux), so writes there may +# still be allowed. +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true + +# Prevent creating real-time scheduling policies. +RestrictRealtime=true + +# Prevent changing process personality(2) +LockPersonality=true + +# Restrict use of Linux namespaces by the daemon and its children, MariaDB +# server core does not require namespace creation in typical operation +# (override via drop-in if needed). +RestrictNamespaces=true + # Prevent accessing /home, /root and /run/user ProtectHome=true diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index 3fd37c388..9a186d9c4 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -190,6 +190,27 @@ ProtectSystem=full # (https://github.com/systemd/systemd/issues/3845) # NoNewPrivileges=true +# Restrict modifications of kernel interfaces from the MariaDB service context. + +# Note: ProtectKernelTunables makes /proc and /sys read-only, but it does not +# necessarily remount separate sub-mounts under /sys/fs (for example cgroupfs +# at /sys/fs/cgroup and selinuxfs at /sys/fs/selinux), so writes there may +# still be allowed. +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true + +# Prevent creating real-time scheduling policies. +RestrictRealtime=true + +# Prevent changing process personality(2) +LockPersonality=true + +# Restrict use of Linux namespaces by the daemon and its children, MariaDB +# server core does not require namespace creation in typical operation +# (override via drop-in if needed). +RestrictNamespaces=true + # Prevent accessing /home, /root and /run/user ProtectHome=true