From 0ec8e4e9a22d9a5e2586b740c06e7fa490b1e688 Mon Sep 17 00:00:00 2001 From: erdnaxe Date: Sat, 21 May 2022 03:48:32 +0200 Subject: [PATCH] Harden Systemd configuration (#453) --- contrib/libreddit.service | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/contrib/libreddit.service b/contrib/libreddit.service index b6e6fef..8ed5da7 100644 --- a/contrib/libreddit.service +++ b/contrib/libreddit.service @@ -11,5 +11,27 @@ Environment=PORT=8080 EnvironmentFile=-/etc/libreddit.conf ExecStart=/usr/bin/libreddit -a ${ADDRESS} -p ${PORT} +# Hardening +DeviceAllow= +LockPersonality=yes +MemoryDenyWriteExecute=yes +PrivateDevices=yes +ProcSubset=pid +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service ~@privileged ~@resources +UMask=0077 + [Install] WantedBy=default.target