Lock down systemd unit definition

author: Grégoire Duchêne <gduchene@awhk.org> 2022-01-30 14:38:43 +0000
committer: Grégoire Duchêne <gduchene@awhk.org> 2022-01-30 14:38:43 +0000
commit: 4b8e1c2d7fa7d2260b144d32987b52e0df392fd2 (patch)
tree: 5b003fc2efa1fd71156d76d11a83be7b294ef3f9 /systemd
parent: 3093c4cffa82211fd8ab3a141e54fcf9c10a8012 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/systemd/go-import-redirect.service b/systemd/go-import-redirect.service
index 38d8023..86f02a3 100644
--- a/systemd/go-import-redirect.service
+++ b/systemd/go-import-redirect.service
@@ -6,7 +6,34 @@ Description=go-import-redirect
 
 [Service]
 ExecStart=go-import-redirect
+
+CapabilityBoundingSet=
 DynamicUser=true
+IPAddressDeny=any
+LockPersonality=true
+MemoryDenyWriteExecute=true
+NoNewPrivileges=true
+PrivateDevices=true
+PrivateNetwork=true
+PrivateTmp=true
+PrivateUsers=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=strict
+RestrictAddressFamilies=none
+RestrictNamespaces=true
+RestrictRealtime=true
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+UMask=0077
 
 [Install]
 WantedBy=multi-user.target
author	Grégoire Duchêne <gduchene@awhk.org>	2022-01-30 14:38:43 +0000
committer	Grégoire Duchêne <gduchene@awhk.org>	2022-01-30 14:38:43 +0000
commit	4b8e1c2d7fa7d2260b144d32987b52e0df392fd2 (patch)
tree	5b003fc2efa1fd71156d76d11a83be7b294ef3f9 /systemd
parent	3093c4cffa82211fd8ab3a141e54fcf9c10a8012 (diff)