martomi
commented
2 years ago Hi @alexking,
this was really delightful to review, really appreciated the detailed documentation and careful considerations. 👍 💯
I'll go ahead and merge this into dev, and it'll make it into the final release for 2021 :-)
Thanks!
alexking
Should resolve #312, relates to discussion #51. Attempts to sandbox chiadog as a systemd service, and safeguard any sensitive chia files in
.chia/mainnetthat we don't need access to..chia/mainnetfolders other thanlogto inaccessible.debug.log.offsetfile was kept in the chiadog directory, but when running in a read only filesystem we can't write there. Create a temporary directory when running, and store the offset file there. This also means we no longer need to delete the offset file on startup.A good way to test this is to switch out the
ExecStartfor anls -lh .chia/mainnetand see what files are accessible inside the environment, or try to runvenv/bin/chia wallet showinside and make sure it fails. Ideally I'd like to have chiadog show a warning when it starts up if it's able to access configuration directories, but I figure that could be added in another PR.There are a bunch of different strategies in systemd for setting this up, I went with what seems to be the most compatible version (compatible with systemd 235, which I believe is available in Ubuntu 18), explicitly declaring
InaccessiblePaths. The other way, usingTemporarilyFilesystemto block everything out and binding the one file we need, is maybe a bit more elegant, but needs at least systemd 238 (around Ubuntu 20). Since it's not possible to say "make everything except the logs folder inaccessible" however (declaring.chiaas inaccessible makes all child directories inaccessible and can't be overridden by other directives), we need to remember to add any new paths if new versions of chia add additional directories we don't want access to.