Implement FR #72510: systemd service should be hardened

NEWS

@@ -9,6 +9,9 @@ PHP                                                                        NEWS
 - Date:
   . Fixed bug #75232 (print_r of DateTime creating side-effect). (Nikita)
 
+- FPM:
+  . Implemented FR #72510 (systemd service should be hardened). (Craig Andrews)
+
 - GD:
   . Fixed bug #73291 (imagecropauto() $threshold differs from external libgd).
     (cmb)

sapi/fpm/php-fpm.service.in

@@ -11,7 +11,61 @@ Type=@php_fpm_systemd@
 PIDFile=@EXPANDED_LOCALSTATEDIR@/run/php-fpm.pid
 ExecStart=@EXPANDED_SBINDIR@/php-fpm --nodaemonize --fpm-config @EXPANDED_SYSCONFDIR@/php-fpm.conf
 ExecReload=/bin/kill -USR2 $MAINPID
+
+# Set up a new file system namespace and mounts private /tmp and /var/tmp directories
+# so this service cannot access the global directories and other processes cannot
+# access this service's directories.
 PrivateTmp=true
 
+# The directories /home, /root and /run/user are made inaccessible and empty for processes
+# invoked by this unit.
+ProtectHome=true
+
+# Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
+ProtectSystem=full
+
+# Ensures that the service process and all its children can never gain new privileges
+NoNewPrivileges=true
+
+# Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
+# such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
+# but no physical devices such as /dev/sda.
+PrivateDevices=true
+
+# Required for dropping privileges and running as a different user
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID
+
+# Attempts to create memory mappings that are writable and executable at the same time,
+# or to change existing memory mappings to become executable are prohibited.
+MemoryDenyWriteExecute=true
+
+# Explicit module loading will be denied. This allows to turn off module load and unload
+# operations on modular kernels. It is recommended to turn this on for most services that
+# do not need special file systems or extra kernel modules to work.
+ProtectKernelModules=true
+
+# Kernel variables accessible through /proc/sys, /sys, /proc/sysrq-trigger, /proc/latency_stats,
+# /proc/acpi, /proc/timer_stats, /proc/fs and /proc/irq will be made read-only to all processes
+# of the unit. Usually, tunable kernel variables should only be written at boot-time, with the
+# sysctl.d(5) mechanism. Almost no services need to write to these at runtime; it is hence
+# recommended to turn this on for most services.
+ProtectKernelTunables=true
+
+# The Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be
+# made read-only to all processes of the unit. Except for container managers no services should
+# require write access to the control groups hierarchies; it is hence recommended to turn this on
+# for most services
+ProtectControlGroups=true
+
+# Any attempts to enable realtime scheduling in a process of the unit are refused.
+RestrictRealtime=true
+
+# Restricts the set of socket address families accessible to the processes of this unit.
+# Protects against vulnerabilities such as CVE-2016-8655
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+
+# Takes away the ability to create or manage any kind of namespace
+RestrictNamespaces=true
+
 [Install]
 WantedBy=multi-user.target