service: harden the NetworkManager service a bitlr/systemd-hardened

Tested with dnsmasq (ipv4.method=shared), openvpn & vpnc. https://bugzilla.gnome.org/show_bug.cgi?id=750598
author: Lubomir Rintel <lkundrak@v3.sk> 2015-06-04 14:30:02 +0200
committer: Lubomir Rintel <lkundrak@v3.sk> 2015-07-01 16:26:15 +0200
commit: 4ffd57f83d9cc36c8908c42bcf3d452392bb0e60 (patch)
tree: f9d96da679ee9d4009c57dfe30fe5ae949d24b4c
parent: 1749ad4068b27ab3955b35128c833096e7c195e4 (diff)
download: NetworkManager-lr/systemd-hardened.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/data/NetworkManager.service.in b/data/NetworkManager.service.in
index 980573d31c..42b43e381b 100644
--- a/data/NetworkManager.service.in
+++ b/data/NetworkManager.service.in
@@ -11,6 +11,9 @@ ExecStart=@sbindir@/NetworkManager --no-daemon
 Restart=on-failure
 # NM doesn't want systemd to kill its children for it
 KillMode=process
+CapabilityBoundingSet=CAP_NET_ADMIN CAP_DAC_OVERRIDE CAP_NET_RAW CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_MODULE
+ProtectSystem=true
+ProtectHome=read-only
 
 [Install]
 WantedBy=multi-user.target
author	Lubomir Rintel <lkundrak@v3.sk>	2015-06-04 14:30:02 +0200
committer	Lubomir Rintel <lkundrak@v3.sk>	2015-07-01 16:26:15 +0200
commit	4ffd57f83d9cc36c8908c42bcf3d452392bb0e60 (patch)
tree	f9d96da679ee9d4009c57dfe30fe5ae949d24b4c
parent	1749ad4068b27ab3955b35128c833096e7c195e4 (diff)
download	NetworkManager-lr/systemd-hardened.tar.gz