1
0
Fork 0

anonymous-overflow: Enable some hardening flags

This commit is contained in:
Daniel Kempkens 2023-02-16 00:43:22 +01:00
parent ce177c6f9d
commit c9cb1639b4
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM

View file

@ -16,6 +16,25 @@ in
ExecStart = "${anonymous-overflow-pkg}/bin/anonymousoverflow";
Restart = "on-failure";
RestartSec = "5s";
# Hardening
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
LockPersonality = true;
MemoryDenyWriteExecute = true;
PrivateDevices = true;
PrivateUsers = true;
ProcSubset = "pid";
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
};
};