systemd-security: add some easy wins
We can tighten security by adding the following to the systemd service file: * NoNewPrivileges: should never be needed * DevicePolicy: only basics required * PrivateDevices: only needs mounted stuff, never devs * ProtectSystem: no need to change boot * RestrictAddressFamilies: INET, UNIX only Signed-off-by: Marc <mail@lpcvoid.com>
This commit is contained in:
parent
64d1ea2d89
commit
9b6b9cca3d
1 changed files with 5 additions and 0 deletions
|
@ -17,6 +17,11 @@ KillMode=mixed
|
|||
PrivateTmp=true
|
||||
Restart=always
|
||||
RestartSec=10s
|
||||
NoNewPrivileges=yes
|
||||
PrivateDevices=yes
|
||||
DevicePolicy=closed
|
||||
ProtectSystem=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
Loading…
Reference in a new issue