mark22k/reseed-tools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improve security of systemd unit

Browse Source 
from ~3 to ~2
This commit is contained in:
Marek Küthe
2023-06-08 13:35:29 +02:00
parent 6c95b64750
commit 8a84dbe321
1 changed files with 36 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
etc/systemd/system/reseed.service
View File

@ -5,6 +5,42 @@ StartLimitIntervalSec=0
Requires=i2p.service
[Service]
RestrictAddressFamilies=AF_INET AF_INET6
PrivateTmp=yes
DeviceAllow=
PrivateDevices=true
PrivateMounts=true
ProtectClock=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=noaccess
ProtectSystem=true
ProtectHome=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
SystemCallFilter=~@clock
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap
SystemCallFilter=~@privileged
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@obsolete
RestrictNamespaces=true
RestrictRealtime=true
LockPersonality=true
MemoryDenyWriteExecute=true
RemoveIPC=true
UMask=600
ProtectHostname=true
ProcSubset=pid
NoNewPrivileges=true
CapabilityBoundingSet=
User=i2psvc
WorkingDirectory=/var/lib/i2p/i2p-config/reseed
ExecStart=/usr/bin/reseed-tools reseed --yes=true --netdb=/var/lib/i2p/i2p-config/netDb