Should resolve #312, relates to discussion #51. Attempts to sandbox chiadog as a systemd service, and safeguard any sensitive chia files in .chia/mainnet that we don't need access to.
Add a scripts/linux/chiadog.service systemd example that attempts to run chiadog in a more isolated environment. Create a new limited user each run (making much of the filesystem readonly), and set .chia/mainnet folders other than log to inaccessible.
Move the offset file - previously, the debug.log.offset file was kept in the chiadog directory, but when running in a read only filesystem we can't write there. Create a temporary directory when running, and store the offset file there. This also means we no longer need to delete the offset file on startup.
A good way to test this is to switch out the ExecStart for an ls -lh .chia/mainnet and see what files are accessible inside the environment, or try to run venv/bin/chia wallet show inside and make sure it fails. Ideally I'd like to have chiadog show a warning when it starts up if it's able to access configuration directories, but I figure that could be added in another PR.
There are a bunch of different strategies in systemd for setting this up, I went with what seems to be the most compatible version (compatible with systemd 235, which I believe is available in Ubuntu 18), explicitly declaring InaccessiblePaths. The other way, using TemporarilyFilesystem to block everything out and binding the one file we need, is maybe a bit more elegant, but needs at least systemd 238 (around Ubuntu 20). Since it's not possible to say "make everything except the logs folder inaccessible" however (declaring .chia as inaccessible makes all child directories inaccessible and can't be overridden by other directives), we need to remember to add any new paths if new versions of chia add additional directories we don't want access to.
alexking
commented
2 years ago
Should resolve #312, relates to discussion #51. Attempts to sandbox chiadog as a systemd service, and safeguard any sensitive chia files in
.chia/mainnetthat we don't need access to..chia/mainnetfolders other thanlogto inaccessible.debug.log.offsetfile was kept in the chiadog directory, but when running in a read only filesystem we can't write there. Create a temporary directory when running, and store the offset file there. This also means we no longer need to delete the offset file on startup.A good way to test this is to switch out the
ExecStartfor anls -lh .chia/mainnetand see what files are accessible inside the environment, or try to runvenv/bin/chia wallet showinside and make sure it fails. Ideally I'd like to have chiadog show a warning when it starts up if it's able to access configuration directories, but I figure that could be added in another PR.There are a bunch of different strategies in systemd for setting this up, I went with what seems to be the most compatible version (compatible with systemd 235, which I believe is available in Ubuntu 18), explicitly declaring
InaccessiblePaths. The other way, usingTemporarilyFilesystemto block everything out and binding the one file we need, is maybe a bit more elegant, but needs at least systemd 238 (around Ubuntu 20). Since it's not possible to say "make everything except the logs folder inaccessible" however (declaring.chiaas inaccessible makes all child directories inaccessible and can't be overridden by other directives), we need to remember to add any new paths if new versions of chia add additional directories we don't want access to.