Skip to content

security: restrict abis in bitcoind.service #28340

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 17, 2024
Merged

security: restrict abis in bitcoind.service #28340

merged 1 commit into from
Apr 17, 2024

Conversation

CharlieC3
Copy link
Contributor

@CharlieC3 CharlieC3 commented Aug 24, 2023
edited
Loading

As noted here, it's a good idea to pair MemoryDenyWriteExecute=true with SystemCallArchitectures=native because MemoryDenyWriteExecute can be circumvented in some operating systems which support multiple ABIs like x86/x86-64.
This helps restrict the possible application binary interfaces (ABIs) that can be used when running bitcoind through systemd, reducing the attack surface area.

@CharlieC3
security: restrict abis in bitcoind.service
0244416 
It's recommended to restrict the possible application binary interfaces that can be used when setting `MemoryDenyWriteExecute=true` to ensure it cannot be circumvented.
@DrahtBot
Copy link
Contributor

DrahtBot commented Aug 24, 2023
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Code Coverage

For detailed information about the code coverage, see the test coverage report.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK laanwj, 0xB10C
Concept ACK Sjors

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

@Sjors
Copy link
Member

Sjors commented Aug 25, 2023

Probably Concept ACK, because nix-bitcoin does this too: https://github.com/fort-nix/nix-bitcoin/blob/master/pkgs/lib.nix

Might as well consider all the extra stuff they added there.

@achow101 achow101 requested review from laanwj and 0xB10C April 9, 2024 14:36
@laanwj
Copy link
Member

laanwj commented Apr 9, 2024

ACK 0244416 . This is a sensible security feature.
It looks like the documentation of systemd.exec even mentions this pairing.

I do agree with @Sjors, however, that when we're adding systemd hardening options, we might as well look further.

@DrahtBot DrahtBot requested a review from Sjors April 9, 2024 14:45
@0xB10C
Copy link
Contributor

0xB10C commented Apr 10, 2024

ACK 0244416

@ryanofsky ryanofsky merged commit dbd2000 into bitcoin:master Apr 17, 2024
@blckbx blckbx mentioned this pull request Apr 18, 2024
Merged
3 tasks
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Oct 25, 2024
@ryanofsky @PastaPastaPasta
Merge bitcoin#28340: security: restrict abis in bitcoind.service
2fdb90b 
0244416 security: restrict abis in bitcoind.service (Charlie)

Pull request description:

  [As noted here](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=), it's a good idea to pair `MemoryDenyWriteExecute=true` with `SystemCallArchitectures=native` because `MemoryDenyWriteExecute` can be circumvented in some operating systems which support multiple ABIs like x86/x86-64.
  This helps restrict the possible application binary interfaces (ABIs) that can be used when running bitcoind through systemd, reducing the attack surface area.

ACKs for top commit:
  laanwj:
    ACK 0244416 . This is a sensible security feature.
  0xB10C:
    ACK 0244416

Tree-SHA512: 77a35b0674d8d67d857cd20ae1b8cd011f82d6f5ed21bc106cbe45bfa937e786ddc1bf7261e3bdb8c289df1224e91658760905d2c8f37cc4c6506ef8037ad158
PastaPastaPasta pushed a commit to PastaPastaPasta/dash that referenced this pull request Oct 26, 2024
@ryanofsky @PastaPastaPasta
Merge bitcoin#28340: security: restrict abis in bitcoind.service
c4a147c 
0244416 security: restrict abis in bitcoind.service (Charlie)

Pull request description:

  [As noted here](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=), it's a good idea to pair `MemoryDenyWriteExecute=true` with `SystemCallArchitectures=native` because `MemoryDenyWriteExecute` can be circumvented in some operating systems which support multiple ABIs like x86/x86-64.
  This helps restrict the possible application binary interfaces (ABIs) that can be used when running bitcoind through systemd, reducing the attack surface area.

ACKs for top commit:
  laanwj:
    ACK 0244416 . This is a sensible security feature.
  0xB10C:
    ACK 0244416

Tree-SHA512: 77a35b0674d8d67d857cd20ae1b8cd011f82d6f5ed21bc106cbe45bfa937e786ddc1bf7261e3bdb8c289df1224e91658760905d2c8f37cc4c6506ef8037ad158
PastaPastaPasta added a commit to dashpay/dash that referenced this pull request Oct 27, 2024
@PastaPastaPasta
Merge #6363: backport: trivial 2024 10 25 pr2
f211bb9 
700b8c5 Merge bitcoin#29658: Bugfix: GUI: Help messages already have a trailing newline, so don't add an extra one (merge-script)
a0cd305 Merge bitcoin#29948: test: add missing comparison of node1's mempool in MempoolPackagesTest (Ava Chow)
f1907ea Merge bitcoin#29984: net: Replace ifname check with IFF_LOOPBACK in Discover (merge-script)
daa6eee Merge bitcoin#29960: depends: pass verbose through to cmake based makefiles (merge-script)
61a5832 Merge bitcoin#29907: test: Fix `test/streams_tests.cpp` compilation on SunOS / illumos (merge-script)
23f25a9 Merge bitcoin#29872: test: Add missing Assert(mock_time_in >= 0s) to SetMockTime (merge-script)
a7daee7 Merge bitcoin#29689: lint: scripted-diff verification also requires GNU grep (Ava Chow)
3df1ca1 Merge bitcoin#29953: doc: Bash is needed in gen_id and is not installed on FreeBSD by default (merge-script)
b53b854 Merge bitcoin#29850: net: Decrease nMaxIPs when learning from DNS seeds (Ava Chow)
c4a147c Merge bitcoin#28340: security: restrict abis in bitcoind.service (Ryan Ofsky)
acfdf9e Merge bitcoin#28373: doc: Add example of mixing private and public keys in descriptors (Ava Chow)
51bc8bd Merge bitcoin#29859: build: Fix false positive `CHECK_ATOMIC` test (merge-script)
bb4102c Merge bitcoin#29893: test: fix intermittent failure in p2p_compactblocks_hb.py (glozow)
4ecb761 Merge bitcoin#29786: Drop Windows Socket dependency for `randomenv.cpp` (fanquake)
1a8e805 Merge bitcoin#29498: test: Update --tmpdir doc string to say directory must not exist (fanquake)
81ca71c Merge bitcoin#29781: depends: add new LLVM debug macro (fanquake)
5ce92ca Merge bitcoin#29527: depends: add -g to DEBUG=1 flags (fanquake)

Pull request description:

  ## Issue being fixed or feature implemented
  Trivial backports

  ## What was done?

  ## How Has This Been Tested?
  built locally

  ## Breaking Changes

  ## Checklist:
    _Go over all the following points, and put an `x` in all the boxes that apply._
  - [ ] I have performed a self-review of my own code
  - [ ] I have commented my code, particularly in hard-to-understand areas
  - [ ] I have added or updated relevant unit/integration/functional/e2e tests
  - [ ] I have made corresponding changes to the documentation
  - [x] I have assigned this pull request to a milestone _(for repository code-owners and collaborators only)_

ACKs for top commit:
  UdjinM6:
    utACK 700b8c5 but pls confirm Guix is happy now before merging
  kwvg:
    utACK 700b8c5

Tree-SHA512: 9722979c4f0589cb02bfeaf39373713372a4aa1c8c5a55aa5b4d33388f73ef19231de3963b80ffaad25fbe0db90a133de5080baac691daed41b86a762b867b2d
@bitcoin bitcoin locked and limited conversation to collaborators Apr 17, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@laanwj laanwj Awaiting requested review from laanwj

@0xB10C 0xB10C Awaiting requested review from 0xB10C

@Sjors Sjors Awaiting requested review from Sjors

Assignees
No one assigned
Labels
CI failed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@CharlieC3 @DrahtBot @Sjors @laanwj @0xB10C @ryanofsky