diff options
author | Topi Miettinen <toiwoton@gmail.com> | 2019-04-04 13:47:57 +0300 |
---|---|---|
committer | Topi Miettinen <toiwoton@gmail.com> | 2019-04-05 13:16:45 +0300 |
commit | 1c6a6bfbbb01aa92b4550c1e3a087b1c0f7ef310 (patch) | |
tree | 661a81ecd2ec80f51e35db1cc75175d7504065d5 /src/upower.service.in | |
parent | e06bfc6a120750ed629291ddcec02f62f178fab4 (diff) | |
download | upower-1c6a6bfbbb01aa92b4550c1e3a087b1c0f7ef310.tar.gz |
Harden systemd service
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Diffstat (limited to 'src/upower.service.in')
-rw-r--r-- | src/upower.service.in | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/upower.service.in b/src/upower.service.in index 16dcee5..f4c6b88 100644 --- a/src/upower.service.in +++ b/src/upower.service.in @@ -20,6 +20,7 @@ PrivateTmp=true # Network # PrivateNetwork=true would block udev's netlink socket +IPAddressDeny=any RestrictAddressFamilies=AF_UNIX AF_NETLINK # Execute Mappings @@ -34,5 +35,21 @@ RestrictRealtime=true # Privilege escalation NoNewPrivileges=true +# Capabilities +CapabilityBoundingSet= + +# System call interfaces +LockPersonality=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=ioprio_get + +# Namespaces +PrivateUsers=yes +RestrictNamespaces=yes + +# Locked memory +LimitMEMLOCK=0 + [Install] WantedBy=graphical.target |