eclipse
WiP: enable sandboxing for mosquitto systemd service
Systemd has supported various sandboxing features and seccomp syscall filtering for services for a while now. As a network facing daemon, mosquitto could benefit from using both features to reduce the potential impact of security vulnerabilities.
This pull request modifies the systemd .service files to make use of both features. It enables everything that systemd-analyze security suggests (except for features that would interfere with mosquitto's operation, of course) and also sets a syscall whitelist based on syscalls made by mosquitto during normal operation (see below for details). Therefore, the list may be short a few sparely used syscalls.
The pull request also includes a highly experimental idea to reduce the potential extent of information disclosure even further. By using TemporaryFileSystem=/:ro to mount a read-only tmpfs on / and then binding only files/directories required to run mosquitto into that tmpfs, the majority of the actual root file system is inaccessible to mosquitto. Even though I'm using it, I don't consider it ready for upstream use, because it interferes with systemd's ProtectSystem and is likely specific to Debian and x86-64. Therefore, it is commented out.
How was this tested: Since I did not modify the source code, I did not run make test as requested. I also only tried it with mosquitto 2.0.10-6 on Debian Sid when run with the default configuration and only with a pair of mosquitto_pub and mosquitto_sub clients. If you're interested in merging this PR, I could invest more time into tests, of course.
