From ec9ab1d2bc5c6be973186a2d44e776e9d7f70d31 Mon Sep 17 00:00:00 2001 From: Jacob Kiers Date: Thu, 22 Feb 2024 21:43:06 +0100 Subject: [PATCH] Add example systemd unit with security protections This is just about as secure as this process can get Signed-off-by: Jacob Kiers --- fourth.service | 51 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 fourth.service diff --git a/fourth.service b/fourth.service new file mode 100644 index 0000000..5e33d9c --- /dev/null +++ b/fourth.service @@ -0,0 +1,51 @@ +[Unit] +Description=Fourth - Layer 4 proxy + +After=network-online.target +Wants=network-online.target + +[Install] +WantedBy=default.target + +[Service] +Type=simple + +# Allow read-only access to the config directory +ReadOnlyPaths=/etc/fourth +# Path to the binary +ExecStart=/usr/local/bin/fourth + +# Needs CAP_NET_BIND_SERVICE in order to bind to lower ports +# When using ports above 1024, these should be made empty +AmbientCapabilities=CAP_NET_BIND_SERVICE +CapabilityBoundingSet=CAP_NET_BIND_SERVICE + +# Run as a dynamic user +DynamicUser=yes + +# Security +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=strict +ProtectHome=yes +SystemCallFilter=@basic-io @file-system @network-io @system-service +SystemCallFilter=~@privileged +SystemCallFilter=~@resources +NoNewPrivileges=yes +ProtectProc=invisible +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +ProtectHostname=yes +ProtectClock=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +ProcSubset=pid +UMask=0077 +SystemCallArchitectures=native +RestrictSUIDSGID=yes +ProtectKernelTunables=yes \ No newline at end of file