diff options
| -rw-r--r-- | README.md | 4 | ||||
| -rw-r--r-- | systemd/go-import-redirect.service | 27 |
2 files changed, 31 insertions, 0 deletions
@@ -21,6 +21,10 @@ It is recommended to enable the companion systemd socket and customize it so systemd can start the service when needed and pass the socket to `go-import-redirect`. +If you do not want to use socket activation, you must override the +`IPAddressDeny` and `RestrictAddressFamilies` unit settings to +appropriate values. + Likewise, you must customize the service definition to pass the right flag values. diff --git a/systemd/go-import-redirect.service b/systemd/go-import-redirect.service index 38d8023..86f02a3 100644 --- a/systemd/go-import-redirect.service +++ b/systemd/go-import-redirect.service @@ -6,7 +6,34 @@ Description=go-import-redirect [Service] ExecStart=go-import-redirect + +CapabilityBoundingSet= DynamicUser=true +IPAddressDeny=any +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateNetwork=true +PrivateTmp=true +PrivateUsers=true +ProcSubset=pid +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProtectSystem=strict +RestrictAddressFamilies=none +RestrictNamespaces=true +RestrictRealtime=true +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +UMask=0077 [Install] WantedBy=multi-user.target |