Add systemd configurations to strengthen OS core security #17107
Conversation
Signed-off-by: Rajat Gupta <[email protected]>
RajatGupta02
requested review from
anasalkouz,
andrross,
ashking94,
Bukhtawar,
CEHENKLE,
cwperks,
dblock,
dbwiddis,
gbbafna,
jainankitk,
kotwanikunal,
linuxpi,
mch2,
msfroh,
nknize,
owaiskazi19,
reta,
Rishikesh1159,
sachinpkale,
saratvemulapalli,
shwetathareja,
sohami and
VachaShah
as code owners
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #17107 +/- ##
============================================
- Coverage 72.48% 72.44% -0.04%
- Complexity 65637 65664 +27
============================================
Files 5303 5303
Lines 304793 304793
Branches 44202 44202
============================================
- Hits 220926 220820 -106
- Misses 65711 65903 +192
+ Partials 18156 18070 -86 ☔ View full report in Codecov by Sentry. |
|
@RajatGupta02 If this is targeting 3.0 can you add an entry in the CHANGELOG for 3.0? |
Signed-off-by: Rajat Gupta <[email protected]>
Signed-off-by: Rajat Gupta <[email protected]>
|
❌ Gradle check result for facaca3: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 890612e: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
@reta, do you think we can merge this while the Integration test PR is being worked on? |
@kumargu yes, sure, I think we should be good, @RajatGupta02 could you please resolve the conflicts? thank you |
Signed-off-by: Rajat Gupta <[email protected]>
Resolved 👍🏻 |
@reta could you please approve the PR if it looks good? |
… file Signed-off-by: Rajat Gupta <[email protected]>
|
❌ Gradle check result for fb983cc: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
Signed-off-by: Rajat Gupta <[email protected]>
|
❌ Gradle check result for 95061fa: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
❌ Gradle check result for 95061fa: FAILURE Please examine the workflow log, locate, and copy-paste the failure(s) below, then iterate to green. Is the failure a flaky test unrelated to your change? |
|
@reta could you please start the workflow and merge this? |
@RajatGupta02 you may need to rebase against latest |
Signed-off-by: Rajat Gupta <[email protected]>
Done 👍🏻 |
Description
Aims to strengthen the OS core security by using a stronger systemd unit configuration. The changes implement a form of sandboxing via systemd, protecting the system from potential vulnerabilities in the core or untrusted code (such as plugins).
Will be working on adding tests as suggested in the RFC: #1687
Related Issues
#16634
Supporting References
#16729
#1687
Check List
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.