mirror of
https://github.com/strukturag/nextcloud-spreed-signaling
synced 2024-05-04 23:03:09 +02:00
Merge pull request #276 from Tachi107/systemd-hardening
dist: harden systemd service unit
This commit is contained in:
Joachim Bauch
GitHub
commit
5b3b147794
32
dist/init/systemd/signaling.service
vendored
32
dist/init/systemd/signaling.service
vendored
|
|
@ -7,5 +7,37 @@ User=signaling
|
|||
Group=signaling
|
||||
Restart=on-failure
|
||||
|
||||
# Makes sure that /etc/signaling is owned by this service
|
||||
ConfigurationDirectory=signaling
|
||||
|
||||
# Hardening - see systemd.exec(5)
|
||||
CapabilityBoundingSet=
|
||||
ExecPaths=/usr/bin/signaling /usr/lib
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
NoExecPaths=/
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
PrivateTmp=yes
|
||||
PrivateUsers=yes
|
||||
ProcSubset=pid
|
||||
ProtectClock=yes
|
||||
ProtectControlGroups=yes
|
||||
ProtectHome=yes
|
||||
ProtectHostname=yes
|
||||
ProtectKernelLogs=yes
|
||||
ProtectKernelModules=yes
|
||||
ProtectKernelTunables=yes
|
||||
ProtectProc=invisible
|
||||
ProtectSystem=strict
|
||||
RemoveIPC=yes
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
RestrictNamespaces=yes
|
||||
RestrictRealtime=yes
|
||||
RestrictSUIDSGID=yes
|
||||
SystemCallArchitectures=native
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallFilter=~ @privileged @resources
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
|
|||
Loading…
Reference in a new issue