Security: harden systemd unit and add event rate limiting #29

Merged

qwc merged 2 commits from security/systemd-and-ratelimit into main 2026-02-02 14:23:02 +01:00

Conversation 0 Commits 2 Files changed 3 +134 -3

qwc commented 2026-02-02 14:13:53 +01:00

Owner

Copy link

Summary

Addresses the two remaining security issues.

Commit 1 — Harden systemd service unit (closes #6)

Rewrites systemd/backive.service with comprehensive sandboxing:

• ProtectSystem=strict — read-only filesystem except explicit paths
• ProtectHome=read-only — backup sources in /home are readable
• PrivateTmp=yes — isolated /tmp
• NoNewPrivileges=no — required for sudo-based script execution
• ProtectKernelTunables, ProtectKernelModules, ProtectControlGroups
• MemoryDenyWriteExecute, LockPersonality, RestrictSUIDSGID, RestrictRealtime
• SystemCallFilter=@system-service @mount — only needed syscall groups
• ReadWritePaths for mount points, sockets, logs, database
• Fixed placeholder WorkingDirectory, added [Install] section, restart policy

Commit 2 — Add rate limiting to event handler (closes #7)

Adds a token-bucket rate limiter (10 connections/second) to events.go:

• New rateLimiter type with thread-safe sliding-window logic
• Connections exceeding the limit are accepted then immediately dropped
• TestRateLimiter — verifies token depletion and interval reset
• TestRateLimiterDropsConnection — verifies connections are dropped when limit is 0

All 23 tests pass, coverage at 69.4%.

Closes #6, closes #7

## Summary Addresses the two remaining security issues. ### Commit 1 — Harden systemd service unit (closes #6) Rewrites `systemd/backive.service` with comprehensive sandboxing: - `ProtectSystem=strict` — read-only filesystem except explicit paths - `ProtectHome=read-only` — backup sources in /home are readable - `PrivateTmp=yes` — isolated /tmp - `NoNewPrivileges=no` — required for sudo-based script execution - `ProtectKernelTunables`, `ProtectKernelModules`, `ProtectControlGroups` - `MemoryDenyWriteExecute`, `LockPersonality`, `RestrictSUIDSGID`, `RestrictRealtime` - `SystemCallFilter=@system-service @mount` — only needed syscall groups - `ReadWritePaths` for mount points, sockets, logs, database - Fixed placeholder `WorkingDirectory`, added `[Install]` section, restart policy ### Commit 2 — Add rate limiting to event handler (closes #7) Adds a token-bucket rate limiter (10 connections/second) to `events.go`: - New `rateLimiter` type with thread-safe sliding-window logic - Connections exceeding the limit are accepted then immediately dropped - `TestRateLimiter` — verifies token depletion and interval reset - `TestRateLimiterDropsConnection` — verifies connections are dropped when limit is 0 All 23 tests pass, coverage at 69.4%. Closes #6, closes #7

qwc added 2 commits 2026-02-02 14:13:53 +01:00

Security: harden systemd service unit with sandboxing ... bbc909766a

- Add ProtectSystem=strict, ProtectHome=read-only, PrivateTmp=yes
- Add kernel/cgroup/realtime protections
- Add MemoryDenyWriteExecute, LockPersonality, RestrictSUIDSGID
- Add SystemCallFilter=@system-service @mount, native arch only
- Explicit ReadWritePaths for mount points, sockets, logs, database
- Fix placeholder WorkingDirectory, use absolute ExecStart path
- Add [Install] section for systemctl enable support
- Add restart policy (on-failure with 5s delay)

Closes #6

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Security: add rate limiting to event handler ... 9b9c9f881e

Add a token-bucket rate limiter (10 connections/second) to the unix
socket event handler to prevent local denial-of-service via socket
flooding. Connections exceeding the limit are accepted then immediately
closed with a log message.

Includes tests for the rate limiter logic and connection dropping.

Closes #7

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

qwc merged commit afb505293e into main 2026-02-02 14:23:02 +01:00

qwc deleted branch security/systemd-and-ratelimit 2026-02-02 14:23:02 +01:00

qwc referenced this pull request from a commit 2026-02-02 14:23:03 +01:00

Merge pull request 'Security: harden systemd unit and add event rate limiting' (#29) from security/systemd-and-ratelimit into main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

Compat/Breaking

Breaking change that won't be backward compatible

  

Kind/Bug

Something is not working

  

Kind/Documentation

Documentation changes

  

Kind/Enhancement

Improve existing functionality

  

Kind/Feature

New functionality

  

Kind/Security

This is security issue

  

Kind/Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

No labels

Compat/Breaking

Kind/Bug

Kind/Documentation

Kind/Enhancement

Kind/Feature

Kind/Security

Kind/Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Status

Abandoned

Status

Blocked

Status

Need More Info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

qwc-open/backive!29

No description provided.