Add example systemd unit with security protections

This is just about as secure as this process can get Signed-off-by: Jacob Kiers <code@kiers.eu>
2024-02-22 21:43:06 +01:00 · 2024-02-22 21:43:06 +01:00 · ec9ab1d2bc
commit ec9ab1d2bc
parent bb81a32349
1 changed files with 51 additions and 0 deletions
--- a/fourth.service
+++ b/fourth.service
@ -0,0 +1,51 @@
+[Unit]
+Description=Fourth - Layer 4 proxy
+
+After=network-online.target
+Wants=network-online.target
+
+[Install]
+WantedBy=default.target
+
+[Service]
+Type=simple
+
+# Allow read-only access to the config directory
+ReadOnlyPaths=/etc/fourth
+# Path to the binary
+ExecStart=/usr/local/bin/fourth
+
+# Needs CAP_NET_BIND_SERVICE in order to bind to lower ports
+# When using ports above 1024, these should be made empty
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+
+# Run as a dynamic user
+DynamicUser=yes
+
+# Security
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=strict
+ProtectHome=yes
+SystemCallFilter=@basic-io @file-system @network-io @system-service
+SystemCallFilter=~@privileged
+SystemCallFilter=~@resources
+NoNewPrivileges=yes
+ProtectProc=invisible
+RemoveIPC=yes
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+ProcSubset=pid
+UMask=0077
+SystemCallArchitectures=native
+RestrictSUIDSGID=yes
+ProtectKernelTunables=yes