services: improve default hardening

This commit is contained in:
nixbitcoin 2021-01-30 23:08:38 +01:00
parent 3b938a909f
commit d56a363d3d
No known key found for this signature in database
GPG Key ID: B6044ECBA2DAE5D0

View File

@ -15,6 +15,11 @@ let self = {
MemoryDenyWriteExecute = "true"; MemoryDenyWriteExecute = "true";
ProtectKernelTunables = "true"; ProtectKernelTunables = "true";
ProtectKernelModules = "true"; ProtectKernelModules = "true";
ProtectKernelLogs = "true";
ProtectClock = "true";
# Test and enable these when systemd v247 is available
# ProtectProc = "invisible";
# ProcSubset = "pid";
ProtectControlGroups = "true"; ProtectControlGroups = "true";
RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6"; RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6";
RestrictNamespaces = "true"; RestrictNamespaces = "true";