From 1ac3a1c1f750a2a57f4b8e7abf5ed154611eef28 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 11 Nov 2020 19:15:01 +0100 Subject: [PATCH] Add RestrictNamespaces=yes --- conf/systemd.service | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 27fa8a5..d0ddbf0 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -16,14 +16,16 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1 NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes +RestrictNamespaces=yes +RestrictRealtime=yes DevicePolicy=closed ProtectSystem=full ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes -RestrictRealtime=yes LockPersonality=yes + # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD