summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTopi Miettinen <toiwoton@gmail.com>2019-04-04 13:47:57 +0300
committerTopi Miettinen <toiwoton@gmail.com>2019-04-05 13:16:45 +0300
commit1c6a6bfbbb01aa92b4550c1e3a087b1c0f7ef310 (patch)
tree661a81ecd2ec80f51e35db1cc75175d7504065d5
parente06bfc6a120750ed629291ddcec02f62f178fab4 (diff)
downloadupower-1c6a6bfbbb01aa92b4550c1e3a087b1c0f7ef310.tar.gz
Harden systemd service
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
-rw-r--r--src/upower.service.in17
1 files changed, 17 insertions, 0 deletions
diff --git a/src/upower.service.in b/src/upower.service.in
index 16dcee5..f4c6b88 100644
--- a/src/upower.service.in
+++ b/src/upower.service.in
@@ -20,6 +20,7 @@ PrivateTmp=true
# Network
# PrivateNetwork=true would block udev's netlink socket
+IPAddressDeny=any
RestrictAddressFamilies=AF_UNIX AF_NETLINK
# Execute Mappings
@@ -34,5 +35,21 @@ RestrictRealtime=true
# Privilege escalation
NoNewPrivileges=true
+# Capabilities
+CapabilityBoundingSet=
+
+# System call interfaces
+LockPersonality=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=ioprio_get
+
+# Namespaces
+PrivateUsers=yes
+RestrictNamespaces=yes
+
+# Locked memory
+LimitMEMLOCK=0
+
[Install]
WantedBy=graphical.target