From 58197af85dfe47132da33d61dacc71316301f016 Mon Sep 17 00:00:00 2001 From: "Alexander \"Arav\" Andreev" Date: Tue, 22 Aug 2023 18:24:02 +0400 Subject: [PATCH] Added new options to .service files. Hope it won't break a program. xD --- init/systemd/dwelling-upload-clean.service | 17 ++++++++++++++++- init/systemd/dwelling-upload.service | 15 +++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/init/systemd/dwelling-upload-clean.service b/init/systemd/dwelling-upload-clean.service index b0e358c..29f9e46 100755 --- a/init/systemd/dwelling-upload-clean.service +++ b/init/systemd/dwelling-upload-clean.service @@ -19,18 +19,33 @@ LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProcSubset=pid ProtectClock=true ProtectControlGroups=true ProtectHome=true +ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true +ProtectProc=noaccess ProtectSystem=strict -RestrictAddressFamilies= +RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native +SystemCallFilter=~@clock +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@swap [Install] WantedBy=multi-user.target diff --git a/init/systemd/dwelling-upload.service b/init/systemd/dwelling-upload.service index 74bfdb5..d8de943 100755 --- a/init/systemd/dwelling-upload.service +++ b/init/systemd/dwelling-upload.service @@ -28,18 +28,33 @@ LockPersonality=true MemoryDenyWriteExecute=true NoNewPrivileges=true PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProcSubset=pid ProtectClock=true ProtectControlGroups=true ProtectHome=true +ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true +ProtectProc=noaccess ProtectSystem=strict RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true SystemCallArchitectures=native +SystemCallFilter=~@clock +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@swap [Install] WantedBy=multi-user.target