Closed alexking closed 2 years ago
Hi @alexking,
this was really delightful to review, really appreciated the detailed documentation and careful considerations. 👍 💯
I'll go ahead and merge this into dev
, and it'll make it into the final release for 2021 :-)
Thanks!
Thanks! Also I just noticed that Chia is migrating their keys to ~/.chia_keys
, so I'll submit another to include that as inaccessible.
Should resolve #312, relates to discussion #51. Attempts to sandbox chiadog as a systemd service, and safeguard any sensitive chia files in
.chia/mainnet
that we don't need access to..chia/mainnet
folders other thanlog
to inaccessible.debug.log.offset
file was kept in the chiadog directory, but when running in a read only filesystem we can't write there. Create a temporary directory when running, and store the offset file there. This also means we no longer need to delete the offset file on startup.A good way to test this is to switch out the
ExecStart
for anls -lh .chia/mainnet
and see what files are accessible inside the environment, or try to runvenv/bin/chia wallet show
inside and make sure it fails. Ideally I'd like to have chiadog show a warning when it starts up if it's able to access configuration directories, but I figure that could be added in another PR.There are a bunch of different strategies in systemd for setting this up, I went with what seems to be the most compatible version (compatible with systemd 235, which I believe is available in Ubuntu 18), explicitly declaring
InaccessiblePaths
. The other way, usingTemporarilyFilesystem
to block everything out and binding the one file we need, is maybe a bit more elegant, but needs at least systemd 238 (around Ubuntu 20). Since it's not possible to say "make everything except the logs folder inaccessible" however (declaring.chia
as inaccessible makes all child directories inaccessible and can't be overridden by other directives), we need to remember to add any new paths if new versions of chia add additional directories we don't want access to.