This commit includes strict, but still compatible, service hardening for
transmission-daemon.service. The main goal is a defense-in-depth
strategy that protects users from unknown vulnerabilities in
transmission.
In practice, transmission does not use any of the features that are
blocked in this hardening. However, this is still a network facing
daemon that, by design, accepts connections from unknown peers. So
better safe than sorry.
This commit also installs the service via CMake
Co-authored-by: LaserEyess <LaserEyess@users.noreply.github.com>
network.target does not guarantee interfaces are fully configured, which
can result in bound addresses not being available when the daemon
starts. This leads to errors on start-up and potentially broken
connectivity.
network-online.target does provide these guarantees, but needs a
slightly different dependency configuration with Wants= on top of After=
(cf. systemd.special(7)).
Closes#2720.
ProtectSystem mounts /boot, /efi and /usr as read only, basically
disallowing the daemon from ever writing there. PrivateTmp sets up a
file system namespace for /tmp and /var/tmp/ basically hiding it from
other processes.
Co-authored-by: Charles Kerr <charles@charleskerr.com>
Attempts to create memory mappings that are writable and executable at the same time, or to change existing memory mappings to become executable, or mapping shared memory segments as executable are prohibited.
There's no reason transmission should be doing that. If it does, it's because of malicious code exploiting a vulnerability.
See: https://www.freedesktop.org/software/systemd/man/systemd.exec.html#MemoryDenyWriteExecute=