Mirrors/i2pd
2
0
Fork 0
mirror of https://github.com/PurpleI2P/i2pd.git synced 2025-02-23 12:17:37 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

more hardening

Browse source
This commit is contained in:
analotia 2020-09-18 18:20:05 +03:00 committed by GitHub
parent c916616e37
commit 155125a5bf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
contrib/i2pd.service
View file

@ -35,6 +35,7 @@ LimitNOFILE=65536
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes PrivateTmp=yes
PrivateUsers=true PrivateUsers=true
DevicePolicy=closed
PrivateDevices=yes PrivateDevices=yes
ProtectHome=yes ProtectHome=yes
ProtectSystem=full ProtectSystem=full
@ -46,7 +47,7 @@ ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectSystem=strict ProtectSystem=strict
RestrictAddressFamilies=AF_INET AF_INET6 RestrictAddressFamilies=AF_INET AF_INET6
RestrictNamespaces=cgroup ipc mnt pid user uts RestrictNamespaces=true
RestrictRealtime=true RestrictRealtime=true
RestrictSUIDSGID=true RestrictSUIDSGID=true
RemoveIPC=true RemoveIPC=true
@ -55,6 +56,11 @@ ReadWriteDirectories=-/var/lib/i2pd
ReadWriteDirectories=-/var/log/i2pd ReadWriteDirectories=-/var/log/i2pd
ReadWriteDirectories=-/run ReadWriteDirectories=-/run
CapabilityBoundingSet= CapabilityBoundingSet=
UMask=0077
LockPersonality=true
MemoryDenyWriteExecute=true
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @raw-io @reboot @mount @raw-io @reboot @swap @privileged @resources @cpu-emulation @obsolete
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target