service hardening: add more restrictions

Add RestrictSUIDSGID
Add RemoveIPC
Add RestrictRealtime
Add ProtectHostname
This commit is contained in:
nixbitcoin 2020-05-06 10:19:14 +02:00
parent 3fbfa98635
commit ccc3a70344
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA

View File

@ -21,6 +21,10 @@ with lib;
LockPersonality = "true"; LockPersonality = "true";
IPAddressDeny = "any"; IPAddressDeny = "any";
PrivateUsers = "true"; PrivateUsers = "true";
RestrictSUIDSGID = "true";
RemoveIPC = "true";
RestrictRealtime = "true";
ProtectHostname = "true";
CapabilityBoundingSet = ""; CapabilityBoundingSet = "";
# @system-service whitelist and docker seccomp blacklist (except for "clone" # @system-service whitelist and docker seccomp blacklist (except for "clone"
# which is a core requirement for systemd services) # which is a core requirement for systemd services)