From f1ec6a6c85d145d56611ea871a2a50d5168b0b63 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 11 Nov 2020 19:54:27 +0100 Subject: [PATCH] Add RestrictAddressFamilies and SystemCallFilter --- conf/systemd.service | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/conf/systemd.service b/conf/systemd.service index d0ddbf0..ca2ed1a 100644 --- a/conf/systemd.service +++ b/conf/systemd.service @@ -16,6 +16,7 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1 NoNewPrivileges=yes PrivateTmp=yes PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes RestrictRealtime=yes DevicePolicy=closed @@ -24,7 +25,7 @@ ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes LockPersonality=yes - +SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html