From f6f814e69b1c687aa4d6b6c04744418ca4d409ce Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 19 Jan 2022 19:40:39 +0100 Subject: [PATCH 1/3] Update systemd.service --- conf/systemd.service | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 31e9da3..13d2588 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -22,12 +22,17 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes DevicePolicy=closed +ProtectClock=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectProc=invisible ProtectSystem=full ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes -SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html From b6af3ebb372cb27638eb3d5d63e97945f2a2e7e5 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Tue, 25 Jan 2022 01:29:14 +0100 Subject: [PATCH 2/3] systemd conf: Add AF_NETLINK address family --- conf/systemd.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 13d2588..8a2985e 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -18,7 +18,7 @@ StandardError=inherit NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK RestrictNamespaces=yes RestrictRealtime=yes DevicePolicy=closed From 028e7303abc99af3bb9680373c0f3e2fc4c59988 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sun, 20 Nov 2022 17:52:43 +0100 Subject: [PATCH 3/3] Update conf/systemd.service Co-authored-by: Tagada <36127788+Tagadda@users.noreply.github.com> --- conf/systemd.service | 1 - 1 file changed, 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index 8a2985e..b09effd 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -24,7 +24,6 @@ RestrictRealtime=yes DevicePolicy=closed ProtectClock=yes ProtectHostname=yes -ProtectKernelLogs=yes ProtectProc=invisible ProtectSystem=full ProtectControlGroups=yes