From c4a147cfea557e3f32637ea0749ebf02004033fd Mon Sep 17 00:00:00 2001 From: Ryan Ofsky Date: Wed, 17 Apr 2024 12:59:37 -0400 Subject: [PATCH] Merge bitcoin/bitcoin#28340: security: restrict abis in bitcoind.service 0244416aacbad03e4ebe8f2c95c7861a318916ea security: restrict abis in bitcoind.service (Charlie) Pull request description: [As noted here](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=), it's a good idea to pair `MemoryDenyWriteExecute=true` with `SystemCallArchitectures=native` because `MemoryDenyWriteExecute` can be circumvented in some operating systems which support multiple ABIs like x86/x86-64. This helps restrict the possible application binary interfaces (ABIs) that can be used when running bitcoind through systemd, reducing the attack surface area. ACKs for top commit: laanwj: ACK 0244416aacbad03e4ebe8f2c95c7861a318916ea . This is a sensible security feature. 0xB10C: ACK 0244416aacbad03e4ebe8f2c95c7861a318916ea Tree-SHA512: 77a35b0674d8d67d857cd20ae1b8cd011f82d6f5ed21bc106cbe45bfa937e786ddc1bf7261e3bdb8c289df1224e91658760905d2c8f37cc4c6506ef8037ad158 --- contrib/init/dashd.service | 3 +++ 1 file changed, 3 insertions(+) diff --git a/contrib/init/dashd.service b/contrib/init/dashd.service index 223c05a875..60140bdf7a 100644 --- a/contrib/init/dashd.service +++ b/contrib/init/dashd.service @@ -78,5 +78,8 @@ PrivateDevices=true # Deny the creation of writable and executable memory mappings. MemoryDenyWriteExecute=true +# Restrict ABIs to help ensure MemoryDenyWriteExecute is enforced +SystemCallArchitectures=native + [Install] WantedBy=multi-user.target