git-echo/linux_patch_api
Private
Public Access
1
0
Fork 0
Code Releases 32 Wiki Activity

fix: remove all systemd capability restrictions blocking package management

Browse Source 
- Remove CapabilityBoundingSet and AmbientCapabilities (apt needs full root capabilities)
- Remove ReadWritePaths (unnecessary without ProtectSystem=strict)
- Fix E2E test: properly FAIL on status=failed package operations
- Fix E2E test: require status=completed for install/update/remove lifecycle
- Update dpkg packaging service file to match configs/
- Bump version to 0.3.5
This commit is contained in:
Echo
2026-05-03 04:13:50 +00:00
parent 8a80a887e1
commit 42e2f8989a
5 changed files with 64 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
debian/linux-patch-api/lib/systemd/system/linux-patch-api.service vendored
View File

@ -5,7 +5,8 @@ After=network-online.target
Wants=network-online.target
[Service]
Type=notify
Type=simple
NotifyAccess=all
ExecStart=/usr/bin/linux-patch-api --config /etc/linux_patch_api/config.yaml
Restart=on-failure
RestartSec=5s
@ -16,12 +17,17 @@ RuntimeDirectory=linux-patch-api
RuntimeDirectoryMode=0755
# Security hardening
NoNewPrivileges=true
ProtectSystem=strict
# NOTE: Package management requires extensive system access. The following
# restrictions have been removed because they block core functionality:
# - ProtectSystem=strict: Blocks writes to /usr, /etc, /lib where packages install
# - NoNewPrivileges: Blocks sudo/setuid which apt needs for _apt sandbox
# - RestrictSUIDSGID: Blocks setuid/setgid which apt needs for _apt sandbox
# - CapabilityBoundingSet: Drops capabilities that apt needs (SETUID, SETGID, CHOWN, etc.)
# - AmbientCapabilities: Same issue as CapabilityBoundingSet
# Network security is provided by mTLS + IP whitelist. The service runs as root
# and MUST be able to install/remove/update packages system-wide.
ProtectHome=true
ReadWritePaths=/var/lib/linux_patch_api /var/log/linux_patch_api
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
@ -31,8 +37,6 @@ RestrictNamespaces=true
LockPersonality=true
MemoryDenyWriteExecute=false
RestrictRealtime=true
RestrictSUIDSGID=true
RemoveIPC=true
# System call filtering (whitelist approach)
SystemCallFilter=@system-service
@ -40,6 +44,7 @@ SystemCallErrorNumber=EPERM
# Environment
Environment="RUST_BACKTRACE=1"
Environment="DEBIAN_FRONTEND=noninteractive"
Environment="RUST_LOG=info"
# Logging