anonymous-overflow: Enable some hardening flags
This commit is contained in:
parent
ce177c6f9d
commit
c9cb1639b4
1 changed files with 19 additions and 0 deletions
|
@ -16,6 +16,25 @@ in
|
|||
ExecStart = "${anonymous-overflow-pkg}/bin/anonymousoverflow";
|
||||
Restart = "on-failure";
|
||||
RestartSec = "5s";
|
||||
# Hardening
|
||||
CapabilityBoundingSet = [ "" ];
|
||||
DeviceAllow = [ "" ];
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProcSubset = "pid";
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
Loading…
Reference in a new issue