mirror of
https://github.com/dashpay/dash.git
synced 2024-12-24 19:42:46 +01:00
Merge bitcoin/bitcoin#28340: security: restrict abis in bitcoind.service
0244416aacbad03e4ebe8f2c95c7861a318916ea security: restrict abis in bitcoind.service (Charlie) Pull request description: [As noted here](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=), it's a good idea to pair `MemoryDenyWriteExecute=true` with `SystemCallArchitectures=native` because `MemoryDenyWriteExecute` can be circumvented in some operating systems which support multiple ABIs like x86/x86-64. This helps restrict the possible application binary interfaces (ABIs) that can be used when running bitcoind through systemd, reducing the attack surface area. ACKs for top commit: laanwj: ACK 0244416aacbad03e4ebe8f2c95c7861a318916ea . This is a sensible security feature. 0xB10C: ACK 0244416aacbad03e4ebe8f2c95c7861a318916ea Tree-SHA512: 77a35b0674d8d67d857cd20ae1b8cd011f82d6f5ed21bc106cbe45bfa937e786ddc1bf7261e3bdb8c289df1224e91658760905d2c8f37cc4c6506ef8037ad158
This commit is contained in:
parent
acfdf9e438
commit
c4a147cfea
@ -78,5 +78,8 @@ PrivateDevices=true
|
|||||||
# Deny the creation of writable and executable memory mappings.
|
# Deny the creation of writable and executable memory mappings.
|
||||||
MemoryDenyWriteExecute=true
|
MemoryDenyWriteExecute=true
|
||||||
|
|
||||||
|
# Restrict ABIs to help ensure MemoryDenyWriteExecute is enforced
|
||||||
|
SystemCallArchitectures=native
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
Loading…
Reference in New Issue
Block a user