Add systemd configurations to strengthen OS core security #17107
Conversation
Signed-off-by: Rajat Gupta <gptrajat@amazon.com>
RajatGupta02
requested review from
anasalkouz,
andrross,
ashking94,
Bukhtawar,
CEHENKLE,
cwperks,
dblock,
dbwiddis,
gbbafna,
jainankitk,
kotwanikunal,
linuxpi,
mch2,
msfroh,
nknize,
owaiskazi19,
reta,
Rishikesh1159,
sachinpkale,
saratvemulapalli,
shwetathareja,
sohami and
VachaShah
as code owners
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #17107 +/- ##
============================================
- Coverage 72.47% 72.37% -0.11%
+ Complexity 65618 65514 -104
============================================
Files 5291 5291
Lines 304347 304329 -18
Branches 44182 44181 -1
============================================
- Hits 220578 220246 -332
- Misses 65670 65973 +303
- Partials 18099 18110 +11 ☔ View full report in Codecov by Sentry. |
|
@RajatGupta02 If this is targeting 3.0 can you add an entry in the CHANGELOG for 3.0? |
Signed-off-by: Rajat Gupta <gptrajat@amazon.com>
Signed-off-by: Rajat Gupta <gptrajat@amazon.com>
There was a problem hiding this comment.
can we remove the diff from this file? we can update our docs to use the template based config for more advanced security option. That would also prevent this change to be a breaking change.
This reverts commit 71b2584. Signed-off-by: Rajat Gupta <gptrajat@amazon.com>
|
❌ Gradle check result for c694f75: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Rajat Gupta <gptrajat@amazon.com>
|
❌ Gradle check result for 7c0402c: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for d784b96: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Rajat Gupta <gptrajat@amazon.com>
|
❌ Gradle check result for facaca3: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 890612e: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
@reta, do you think we can merge this while the Integration test PR is being worked on? |
@kumargu yes, sure, I think we should be good, @RajatGupta02 could you please resolve the conflicts? thank you |
Signed-off-by: Rajat Gupta <72070007+RajatGupta02@users.noreply.github.com>
Resolved 👍🏻 |
Description
Aims to strengthen the OS core security by using a stronger systemd unit configuration. The changes implement a form of sandboxing via systemd, protecting the system from potential vulnerabilities in the core or untrusted code (such as plugins).
Will be working on adding tests as suggested in the RFC: #1687
Related Issues
#16634
Supporting References
#16729
#1687
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.