1
0

Further hardening in a radio's systemd unit.

This commit is contained in:
Alexander Andreev 2023-08-19 19:40:24 +04:00
parent bb5ec9f791
commit a31d93aa70
Signed by: Arav
GPG Key ID: D22A817D95815393

View File

@ -26,18 +26,34 @@ LockPersonality=true
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
NoNewPrivileges=true NoNewPrivileges=true
PrivateDevices=true PrivateDevices=true
PrivateTmp=true
ProtectClock=true ProtectClock=true
ProtectProc=noaccess
ProcSubset=pid
PrivateUsers=true
ProtectControlGroups=true ProtectControlGroups=true
ProtectHome=true ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true ProtectKernelLogs=true
ProtectKernelModules=true ProtectKernelModules=true
ProtectKernelTunables=true ProtectKernelTunables=true
ProtectProc=true
ProtectSystem=strict ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true RestrictNamespaces=true
RestrictRealtime=true RestrictRealtime=true
RestrictSUIDSGID=true RestrictSUIDSGID=true
SystemCallArchitectures=native SystemCallArchitectures=native
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@swap
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target