deploy/hardening: drop ProcSubset=pid from the server drop-in (regression fix)
The hardening-extraction subagent (commit just prior) re-introduced
ProcSubset=pid into the server@ drop-in because the design plan's
template had it. The directive had previously been removed from the
live unit by ckn-bw 4339289 — it hides /proc/cpuinfo and breaks
SteamAPI master-server registration, leaving the server in LAN-only
fallback ("LAN servers are restricted to local clients (class C)").
Add a negative assertion in the drop-in test so the regression cannot
sneak back in via a copy-paste edit.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
mwiegand
parent
e9c172a619
commit
3703749252
2 changed files with 15 additions and 2 deletions
|
|
@ -52,7 +52,15 @@ PrivateIPC=true
|
||||||
RestrictNamespaces=true
|
RestrictNamespaces=true
|
||||||
RestrictRealtime=true
|
RestrictRealtime=true
|
||||||
ProtectProc=invisible
|
ProtectProc=invisible
|
||||||
ProcSubset=pid
|
# ProcSubset=pid intentionally OMITTED — it hides /proc/cpuinfo and
|
||||||
|
# /proc/sys/*, which breaks Source's tier0/cpu.cpp and (downstream)
|
||||||
|
# SteamAPI_Init's pipe-creation step. Server then registers as LAN-only
|
||||||
|
# and rejects external clients with "LAN servers are restricted to
|
||||||
|
# local clients (class C)". PrivatePIDs=true (kernel PID namespace) is
|
||||||
|
# the load-bearing peer-process isolation; ProtectProc=invisible is the
|
||||||
|
# foreign-uid /proc hide. Losing ProcSubset=pid only exposes host kernel
|
||||||
|
# info (cpuinfo, meminfo, sysctls), which is not sensitive in this
|
||||||
|
# threat model. See ckn-bw commit 4339289 for the original fix.
|
||||||
ProtectKernelTunables=true
|
ProtectKernelTunables=true
|
||||||
ProtectKernelModules=true
|
ProtectKernelModules=true
|
||||||
ProtectKernelLogs=true
|
ProtectKernelLogs=true
|
||||||
|
|
|
||||||
|
|
@ -286,7 +286,6 @@ def test_server_hardening_dropin_present_with_directives():
|
||||||
"CapabilityBoundingSet=",
|
"CapabilityBoundingSet=",
|
||||||
"AmbientCapabilities=",
|
"AmbientCapabilities=",
|
||||||
"SystemCallArchitectures=native x86",
|
"SystemCallArchitectures=native x86",
|
||||||
"ProcSubset=pid",
|
|
||||||
"TemporaryFileSystem=/var/lib /etc /opt /home /root /srv /mnt /media",
|
"TemporaryFileSystem=/var/lib /etc /opt /home /root /srv /mnt /media",
|
||||||
"BindReadOnlyPaths=/var/lib/left4me/installation",
|
"BindReadOnlyPaths=/var/lib/left4me/installation",
|
||||||
"BindReadOnlyPaths=/var/lib/left4me/overlays",
|
"BindReadOnlyPaths=/var/lib/left4me/overlays",
|
||||||
|
|
@ -299,3 +298,9 @@ def test_server_hardening_dropin_present_with_directives():
|
||||||
assert "SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete @privileged" in text
|
assert "SystemCallFilter=~@debug @mount @raw-io @reboot @swap @cpu-emulation @obsolete @privileged" in text
|
||||||
# MemoryDenyWriteExecute must remain absent (Source engine compat).
|
# MemoryDenyWriteExecute must remain absent (Source engine compat).
|
||||||
assert "MemoryDenyWriteExecute" not in text
|
assert "MemoryDenyWriteExecute" not in text
|
||||||
|
# ProcSubset=pid must remain absent — hides /proc/cpuinfo and breaks
|
||||||
|
# SteamAPI master-server registration (LAN-only fallback). See
|
||||||
|
# ckn-bw 4339289 and the comment block in the drop-in itself.
|
||||||
|
for line in text.splitlines():
|
||||||
|
bare = line.split("#", 1)[0].strip()
|
||||||
|
assert bare != "ProcSubset=pid", "ProcSubset=pid must not be active in the server drop-in"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue