Add example systemd unit with security protections
This is just about as secure as this process can get Signed-off-by: Jacob Kiers <code@kiers.eu>
This commit is contained in:
parent
bb81a32349
commit
ec9ab1d2bc
|
|
@ -0,0 +1,51 @@
|
|||
[Unit]
|
||||
Description=Fourth - Layer 4 proxy
|
||||
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Install]
|
||||
WantedBy=default.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
|
||||
# Allow read-only access to the config directory
|
||||
ReadOnlyPaths=/etc/fourth
|
||||
# Path to the binary
|
||||
ExecStart=/usr/local/bin/fourth
|
||||
|
||||
# Needs CAP_NET_BIND_SERVICE in order to bind to lower ports
|
||||
# When using ports above 1024, these should be made empty
|
||||
AmbientCapabilities=CAP_NET_BIND_SERVICE
|
||||
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
|
||||
# Run as a dynamic user
|
||||
DynamicUser=yes
|
||||
|
||||
# Security
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
ProtectSystem=strict
|
||||
ProtectHome=yes
|
||||
SystemCallFilter=@basic-io @file-system @network-io @system-service
|
||||
SystemCallFilter=~@privileged
|
||||
SystemCallFilter=~@resources
|
||||
NoNewPrivileges=yes
|
||||
ProtectProc=invisible
|
||||
RemoveIPC=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
ProtectHostname=yes
|
||||
ProtectClock=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectControlGroups=yes
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
ProcSubset=pid
|
||||
UMask=0077
|
||||
SystemCallArchitectures=native
|
||||
RestrictSUIDSGID=yes
|
||||
ProtectKernelTunables=yes
|
||||
Loading…
Reference in New Issue