Add protection features to service definition
Signed-off-by: Jacob Kiers <jacob@jacobkiers.net>
This commit is contained in:
parent
ac51541c0c
commit
0569591aa5
|
@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|||
|
||||
## [Unreleased]
|
||||
|
||||
### Changed
|
||||
|
||||
* Added protection features to example systemd service file
|
||||
|
||||
## [0.2.3] - 2022-12-29
|
||||
|
||||
### Added
|
||||
|
|
|
@ -1,7 +1,42 @@
|
|||
[Unit]
|
||||
Description=Create newsletter feed
|
||||
|
||||
After=network-online.target
|
||||
Wants=network-online.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
WorkingDirectory=/home/n2w
|
||||
WorkingDirectory=/home/n2w/n2w
|
||||
ExecStart=/home/n2w/build-feed.sh
|
||||
User=n2w
|
||||
|
||||
# Security
|
||||
PrivateTmp=yes
|
||||
PrivateDevices=yes
|
||||
ProtectSystem=strict
|
||||
SystemCallFilter=@system-service
|
||||
#SystemCallFilter=@basic-io @file-system @network-io mprotect
|
||||
CapabilityBoundingSet=
|
||||
NoNewPrivileges=yes
|
||||
ProtectProc=invisible
|
||||
RemoveIPC=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=yes
|
||||
PrivateUsers=yes
|
||||
|
||||
# ProtectHostname and ProcSubset=pid cannot go together
|
||||
# see: https://github.com/systemd/systemd/pull/22203
|
||||
# This is fixed in systemd v251
|
||||
#ProtectHostname=yes
|
||||
ProtectClock=yes
|
||||
ProtectKernalTunables=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectControlGroups=yes
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
RestrictRealtime=yes
|
||||
ProcSubset=pid
|
||||
UMask=0077
|
||||
SystemCallArchitectures=native
|
||||
RestrictSUIDSGID=yes
|
||||
|
|
Loading…
Reference in New Issue