From 0569591aa5e83eb6540e27e60aa9df0d4ae452cd Mon Sep 17 00:00:00 2001 From: Jacob Kiers Date: Sat, 21 Jan 2023 20:22:50 +0100 Subject: [PATCH] Add protection features to service definition Signed-off-by: Jacob Kiers --- CHANGELOG.md | 4 ++++ systemd/newsletter2web.service | 37 +++++++++++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 98e8956..01050e7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +* Added protection features to example systemd service file + ## [0.2.3] - 2022-12-29 ### Added diff --git a/systemd/newsletter2web.service b/systemd/newsletter2web.service index 4eefd60..36a6899 100644 --- a/systemd/newsletter2web.service +++ b/systemd/newsletter2web.service @@ -1,7 +1,42 @@ [Unit] Description=Create newsletter feed +After=network-online.target +Wants=network-online.target + [Service] Type=oneshot -WorkingDirectory=/home/n2w +WorkingDirectory=/home/n2w/n2w ExecStart=/home/n2w/build-feed.sh +User=n2w + +# Security +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=strict +SystemCallFilter=@system-service +#SystemCallFilter=@basic-io @file-system @network-io mprotect +CapabilityBoundingSet= +NoNewPrivileges=yes +ProtectProc=invisible +RemoveIPC=yes +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +PrivateUsers=yes + +# ProtectHostname and ProcSubset=pid cannot go together +# see: https://github.com/systemd/systemd/pull/22203 +# This is fixed in systemd v251 +#ProtectHostname=yes +ProtectClock=yes +ProtectKernalTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +ProcSubset=pid +UMask=0077 +SystemCallArchitectures=native +RestrictSUIDSGID=yes