From c007835898a737ba8b5cc47d8813359001dfae0b Mon Sep 17 00:00:00 2001 From: Aquila Macedo Date: Thu, 15 Jan 2026 19:53:16 -0500 Subject: [PATCH] Add safe hardening to mariadb.service units Add low regression systemd hardening directives to mariadb.service and mariadb@.service to improve 'systemd-analyze security' without touching the historically-problematic areas (capability bounding / NoNewPrivileges / PrivateDevices). Refs: MDEV-10404, MDEV-19878, MDEV-36591, MDEV-36681 Includes kernel/cgroup protections, disables realtime scheduling, locks personality, and restricts namespace creation (overrideable via drop-in) This patch should be submitted upstream once proven stable in Debian. Forwarded: no Gbp-Pq: Name systemd-hardening-safe-defaults.patch --- support-files/mariadb.service.in | 21 +++++++++++++++++++++ support-files/mariadb@.service.in | 21 +++++++++++++++++++++ 2 files changed, 42 insertions(+) diff --git a/support-files/mariadb.service.in b/support-files/mariadb.service.in index 16c905cdd..85360e41b 100644 --- a/support-files/mariadb.service.in +++ b/support-files/mariadb.service.in @@ -59,6 +59,27 @@ ProtectSystem=full # Doesn't yet work properly with SELinux enabled # NoNewPrivileges=true +# Restrict modifications of kernel interfaces from the MariaDB service context. + +# Note: ProtectKernelTunables makes /proc and /sys read-only, but it does not +# necessarily remount separate sub-mounts under /sys/fs (for example cgroupfs +# at /sys/fs/cgroup and selinuxfs at /sys/fs/selinux), so writes there may +# still be allowed. +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true + +# Prevent creating real-time scheduling policies. +RestrictRealtime=true + +# Prevent changing process personality(2) +LockPersonality=true + +# Restrict use of Linux namespaces by the daemon and its children, MariaDB +# server core does not require namespace creation in typical operation +# (override via drop-in if needed). +RestrictNamespaces=true + # Prevent accessing /home, /root and /run/user ProtectHome=true diff --git a/support-files/mariadb@.service.in b/support-files/mariadb@.service.in index 3fd37c388..9a186d9c4 100644 --- a/support-files/mariadb@.service.in +++ b/support-files/mariadb@.service.in @@ -190,6 +190,27 @@ ProtectSystem=full # (https://github.com/systemd/systemd/issues/3845) # NoNewPrivileges=true +# Restrict modifications of kernel interfaces from the MariaDB service context. + +# Note: ProtectKernelTunables makes /proc and /sys read-only, but it does not +# necessarily remount separate sub-mounts under /sys/fs (for example cgroupfs +# at /sys/fs/cgroup and selinuxfs at /sys/fs/selinux), so writes there may +# still be allowed. +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectControlGroups=true + +# Prevent creating real-time scheduling policies. +RestrictRealtime=true + +# Prevent changing process personality(2) +LockPersonality=true + +# Restrict use of Linux namespaces by the daemon and its children, MariaDB +# server core does not require namespace creation in typical operation +# (override via drop-in if needed). +RestrictNamespaces=true + # Prevent accessing /home, /root and /run/user ProtectHome=true -- 2.30.2