summaryrefslogtreecommitdiff
path: root/bus/example-system-hardening-without-traditional-activation.conf
diff options
context:
space:
mode:
Diffstat (limited to 'bus/example-system-hardening-without-traditional-activation.conf')
-rw-r--r--bus/example-system-hardening-without-traditional-activation.conf31
1 files changed, 31 insertions, 0 deletions
diff --git a/bus/example-system-hardening-without-traditional-activation.conf b/bus/example-system-hardening-without-traditional-activation.conf
new file mode 100644
index 00000000..2665c9a8
--- /dev/null
+++ b/bus/example-system-hardening-without-traditional-activation.conf
@@ -0,0 +1,31 @@
+# Example drop-in file (dbus.service.d/override.conf) for systemd
+# service. This version has many hardening options enabled and thus
+# it is only suitable for cases where only systemd activation is used
+# or traditional activation disabled by compiling dbus with
+# --disable-traditional-activation.
+
+[Service]
+CapabilityBoundingSet=CAP_SETGID CAP_SETUID CAP_SETPCAP CAP_SYS_RESOURCE CAP_AUDIT_WRITE
+DeviceAllow=/dev/null rw
+DeviceAllow=/dev/urandom r
+DevicePolicy=strict
+IPAddressDeny=any
+LimitMEMLOCK=0
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ReadOnlyPaths=-/
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@chown @clock @cpu-emulation @debug @module @mount @obsolete @raw-io @reboot @resources @swap memfd_create mincore mlock mlockall personality
+UMask=0077
View Lorry Controller Status