RZR7332
commented
7 months ago Just for reference, the below are set by default on Ubuntu Server 22,04:
[Unit] Description=irqbalance daemon Documentation=man:irqbalance(1) Documentation=https://github.com/Irqbalance/irqbalance ConditionVirtualization=!container
[Service] EnvironmentFile=-/usr/lib/irqbalance/defaults.env EnvironmentFile=-/etc/default/irqbalance ExecStart=/usr/sbin/irqbalance --foreground $IRQBALANCE_ARGS CapabilityBoundingSet= NoNewPrivileges=yes ReadOnlyPaths=/ ReadWritePaths=/proc/irq RestrictAddressFamilies=AF_UNIX RuntimeDirectory=irqbalance/
This commit has included a number of systemd hardening options for the irqbalance service. This is intended to provide further sandboxing and increase/improve the security posture of systems.
@resources system call filter may be required as well but have omitted it for the time being. Further hardening might be possible if further access to /proc is not required (i.e. no access, read or write, required to any other process folders under /proc other than its own).