lobon (Mailman-VM) #30
1 changed files with 18 additions and 0 deletions
|
|
@ -93,7 +93,25 @@ in {
|
|||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
User = "mailman";
|
||||
NoNewPrivileges = true;
|
||||
|
|
||||
# See https://www.man7.org/linux/man-pages/man5/systemd.exec.5.html
|
||||
PrivateTmp = true;
|
||||
ProtectHome = true;
|
||||
ReadOnlyPaths = "/";
|
||||
ReadWritePaths = "/tmp";
|
||||
InaccessiblePaths = "-/lost+found";
|
||||
PrivateDevices = true;
|
||||
PrivateUsers = true;
|
||||
ProtectHostname = true;
|
||||
ProtectClock = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectControlGroups = true;
|
||||
LockPersonality = true;
|
||||
MemoryDenyWriteExecute = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
};
|
||||
};
|
||||
|
nerf marked this conversation as resolved
Outdated
nerf
commented
This is probably a bigger refactoring pull request and outside the scope of this one. This is probably a bigger refactoring pull request and outside the scope of this one.
We could think making it easier configurable that backups are made by a user that can
basically read everything but not write.
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue
can we set
NoNewPrivileges = true;? or does it break the service?And one could read the Sandboxing part of
systemd.exec(5)Yes, I added a bunch of them in
f334e00d01that seemed reasonable and don't break the updater. Notably, I left outExecPaths=andNoExecPaths=because the correct values are unclear to me.