Update systemd.service

This commit is contained in:
Alexandre Aubin 2022-01-19 19:40:39 +01:00 committed by GitHub
parent d4876b093a
commit f6f814e69b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -22,12 +22,17 @@ RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes RestrictNamespaces=yes
RestrictRealtime=yes RestrictRealtime=yes
DevicePolicy=closed DevicePolicy=closed
ProtectClock=yes
ProtectHostname=yes
ProtectKernelLogs=yes
ProtectProc=invisible
ProtectSystem=full ProtectSystem=full
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
LockPersonality=yes LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
# Denying access to capabilities that should not be relevant for webapps # Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html