Details
-
Bug
-
Status: In Review (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.11
-
None
-
Related to install and upgrade
Description
Adds a handful of conservative systemd hardening defaults to the upstream unit templates (support-files/mariadb.service.in and support-files/mariadb@.service.in). The goal is to improve systemd-analyze security without changing normal MariaDB behavior.
Enabled in this change:
Kernel/cgroup protections: ProtectKernelTunables=true, ProtectKernelModules=true, ProtectControlGroups=true
Block realtime scheduling: RestrictRealtime=true
Lock personality: LockPersonality=true
Restrict namespace creation: RestrictNamespaces=true (easy to override via a systemd drop-in if someone really needs it)
Intentionally not enabled:
I'm intentionally not touching the knobs that have historically caused regressions across distros / SELinux / PAM setups:
NoNewPrivileges= (SELinux transition history, refs MDEV-10404)
capability bounding / aggressive capability tweaks (refs MDEV-36591, MDEV-36681, MDEV-19878)
PrivateDevices= (PAM/SUID helper history, ref MDEV-19878)
Happy to follow up with a separate PR for NoNewPrivileges=true (and anything else stronger) once this lands and we get broader feedback.
Downstream note (Debian)
This exact set of directives has been carried in Debian for ~1 month with no regressions reported so far. Context: https://salsa.debian.org/mariadb-team/mariadb-server/-/merge_requests/152.
Tested
systemctl restart mariadb / mariadb@.service
Checked journalctl -u 'mariadb*' for new errors/denials
Compared systemd-analyze security mariadb.service before/after