From a877ff2d4b4296a2d386eb3e56cd41ed47ff4253 Mon Sep 17 00:00:00 2001 From: Thomas Vogt Date: Sun, 22 Sep 2024 18:43:22 +0200 Subject: [PATCH] Systemd service file (#22) * Add example systemd service file * Mention systemd service file in README --- README.md | 6 ++-- inv_sig_helper.service | 80 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 82 insertions(+), 4 deletions(-) create mode 100644 inv_sig_helper.service diff --git a/README.md b/README.md index 087eee6..2c31549 100644 --- a/README.md +++ b/README.md @@ -69,12 +69,10 @@ Or you can run it manually but not recommended since you won't lock down the con #### Warning -We recommend running sig_helper inside a locked down environment like an LXC container or a systemd service where only the strict necessary is allowed. - -No example outside of Docker have been written for this but feel free to send your contribution. - This service runs untrusted code directly from Google. +We recommend running sig_helper inside a locked down environment like an LXC container or a systemd service where only the strict necessary is allowed. An examplary systemd service file is provided in `inv_sig_helper.service` which creates a socket in `/home/invidious/tmp/inv_sig_helper.sock`. + #### Instructions The service can run in Unix socket mode (default) or TCP mode: diff --git a/inv_sig_helper.service b/inv_sig_helper.service new file mode 100644 index 0000000..63393fc --- /dev/null +++ b/inv_sig_helper.service @@ -0,0 +1,80 @@ +[Unit] +Description=inv_sig_helper (decrypt YouTube signatures and manage player information) +After=syslog.target +After=network.target + +[Service] +RestartSec=2s +Type=simple + +User=invidious +Group=invidious + +# allow only the strict necessary since this service runs untrusted code directly from Google +CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP +CapabilityBoundingSet=~CAP_SYS_ADMIN +CapabilityBoundingSet=~CAP_SYS_PTRACE +CapabilityBoundingSet=~CAP_CHOWN CAP_FSETID CAP_SETFCAP +CapabilityBoundingSet=~CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_FOWNER CAP_IPC_OWNER +CapabilityBoundingSet=~CAP_NET_ADMIN +CapabilityBoundingSet=~CAP_SYS_MODULE +CapabilityBoundingSet=~CAP_SYS_RAWIO +CapabilityBoundingSet=~CAP_SYS_TIME +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_KILL +CapabilityBoundingSet=~CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYSLOG +CapabilityBoundingSet=~CAP_SYS_NICE CAP_SYS_RESOURCE +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_SYS_BOOT +CapabilityBoundingSet=~CAP_LINUX_IMMUTABLE +CapabilityBoundingSet=~CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_SYS_CHROOT +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND +CapabilityBoundingSet=~CAP_LEASE +CapabilityBoundingSet=~CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_WAKE_ALARM +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProcSubset=pid +ProtectControlGroups=true +ProtectHome=tmpfs +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RemoveIPC=true +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX +RestrictNamespaces=true +RestrictSUIDSGID=true +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=~@clock +SystemCallFilter=~@debug +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@swap +SystemCallFilter=~@privileged +SystemCallFilter=~@resources +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@obsolete + +BindReadOnlyPaths=/home/invidious/inv_sig_helper +BindPaths=/home/invidious/tmp + +WorkingDirectory=/home/invidious/inv_sig_helper +ExecStart=/home/invidious/inv_sig_helper/target/release/inv_sig_helper_rust /home/invidious/tmp/inv_sig_helper.sock + +Restart=always + +[Install] +WantedBy=multi-user.target