l4p.service

[Unit]
Description=l4p - Layer 4 proxy

After=network-online.target
Wants=network-online.target

[Install]
WantedBy=default.target

[Service]
Type=simple

# Allow read-only access to the config directory
ReadOnlyPaths=/etc/l4p
# Path to the binary
ExecStart=/usr/local/bin/l4p

# Needs CAP_NET_BIND_SERVICE in order to bind to lower ports
# When using ports above 1024, these should be made empty
AmbientCapabilities=CAP_NET_BIND_SERVICE
CapabilityBoundingSet=CAP_NET_BIND_SERVICE

# Run as a dynamic user
DynamicUser=yes

# Security
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict
ProtectHome=yes
SystemCallFilter=@basic-io @file-system @network-io @system-service
SystemCallFilter=~@privileged
SystemCallFilter=~@resources
NoNewPrivileges=yes
ProtectProc=invisible
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
ProcSubset=pid
UMask=0077
SystemCallArchitectures=native
RestrictSUIDSGID=yes
ProtectKernelTunables=yes
Add example systemd unit with security protections This is just about as secure as this process can get Signed-off-by: Jacob Kiers <code@kiers.eu> 2024-02-22 21:43:06 +01:00			`[Unit]`
Rename to l4p, update references and README.md Signed-off-by: Jacob Kiers <code@kiers.eu> 2024-02-22 22:31:17 +01:00			`Description=l4p - Layer 4 proxy`
Add example systemd unit with security protections This is just about as secure as this process can get Signed-off-by: Jacob Kiers <code@kiers.eu> 2024-02-22 21:43:06 +01:00
			`After=network-online.target`
			`Wants=network-online.target`

			`[Install]`
			`WantedBy=default.target`

			`[Service]`
			`Type=simple`

			`# Allow read-only access to the config directory`
Rename to l4p, update references and README.md Signed-off-by: Jacob Kiers <code@kiers.eu> 2024-02-22 22:31:17 +01:00			`ReadOnlyPaths=/etc/l4p`
Add example systemd unit with security protections This is just about as secure as this process can get Signed-off-by: Jacob Kiers <code@kiers.eu> 2024-02-22 21:43:06 +01:00			`# Path to the binary`
Rename to l4p, update references and README.md Signed-off-by: Jacob Kiers <code@kiers.eu> 2024-02-22 22:31:17 +01:00			`ExecStart=/usr/local/bin/l4p`
Add example systemd unit with security protections This is just about as secure as this process can get Signed-off-by: Jacob Kiers <code@kiers.eu> 2024-02-22 21:43:06 +01:00
			`# Needs CAP_NET_BIND_SERVICE in order to bind to lower ports`
			`# When using ports above 1024, these should be made empty`
			`AmbientCapabilities=CAP_NET_BIND_SERVICE`
			`CapabilityBoundingSet=CAP_NET_BIND_SERVICE`

			`# Run as a dynamic user`
			`DynamicUser=yes`

			`# Security`
			`PrivateTmp=yes`
			`PrivateDevices=yes`
			`ProtectSystem=strict`
			`ProtectHome=yes`
			`SystemCallFilter=@basic-io @file-system @network-io @system-service`
			`SystemCallFilter=~@privileged`
			`SystemCallFilter=~@resources`
			`NoNewPrivileges=yes`
			`ProtectProc=invisible`
			`RemoveIPC=yes`
			`RestrictAddressFamilies=AF_INET AF_INET6`
			`RestrictNamespaces=yes`
			`ProtectHostname=yes`
			`ProtectClock=yes`
			`ProtectKernelModules=yes`
			`ProtectKernelLogs=yes`
			`ProtectControlGroups=yes`
			`LockPersonality=yes`
			`MemoryDenyWriteExecute=yes`
			`RestrictRealtime=yes`
			`ProcSubset=pid`
			`UMask=0077`
			`SystemCallArchitectures=native`
			`RestrictSUIDSGID=yes`
			`ProtectKernelTunables=yes`