Harden systemd service

Signed-off-by: Topi Miettinen's avatarTopi Miettinen <toiwoton@gmail.com>
parent e06bfc6a
Pipeline #28571 passed with stage
in 7 minutes and 27 seconds
......@@ -20,6 +20,7 @@ PrivateTmp=true
# Network
# PrivateNetwork=true would block udev's netlink socket
IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX AF_NETLINK
# Execute Mappings
......@@ -34,5 +35,21 @@ RestrictRealtime=true
# Privilege escalation
NoNewPrivileges=true
# Capabilities
CapabilityBoundingSet=
# System call interfaces
LockPersonality=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=ioprio_get
# Namespaces
PrivateUsers=yes
RestrictNamespaces=yes
# Locked memory
LimitMEMLOCK=0
[Install]
WantedBy=graphical.target
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment