From 1a36152123141e2bd863bbf1d985d0475da82bb5 Mon Sep 17 00:00:00 2001 From: Darkcyankitty Date: Wed, 20 Aug 2025 18:12:56 +0000 Subject: [PATCH 1/3] Update i2pd.service Hardening for i2pd.service --- contrib/i2pd.service | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 1ab46979..1eb8a92b 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -34,5 +34,20 @@ LimitNOFILE=8192 # To enable write of coredump uncomment this #LimitCORE=infinity +#hardening +ProtectHostname=true +ProtectKernelLogs=true +ProtectControlGroups=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectProc=invisible +ProcSubset=pid +PrivateTmp=true +PrivateUsers=true +PrivateDevices=true +PrivateIPC=true +NoNewPrivileges=true +RestrictNamespaces=true + [Install] WantedBy=multi-user.target From 721bebcd7f90c6cdcc7f14252ede46eaec1f3987 Mon Sep 17 00:00:00 2001 From: Darkcyankitty Date: Thu, 21 Aug 2025 10:21:20 +0000 Subject: [PATCH 2/3] Update i2pd.service --- contrib/i2pd.service | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 1eb8a92b..5ed3a211 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -33,7 +33,6 @@ SendSIGKILL=yes LimitNOFILE=8192 # To enable write of coredump uncomment this #LimitCORE=infinity - #hardening ProtectHostname=true ProtectKernelLogs=true @@ -48,6 +47,10 @@ PrivateDevices=true PrivateIPC=true NoNewPrivileges=true RestrictNamespaces=true +ProtectSystem=full +ReadWritePaths=-/var/lib/i2pd +ReadWritePaths=-/run/i2pd +ReadWritePaths=-/etc/i2pd [Install] WantedBy=multi-user.target From 66d2c51c2532229955938f5d1907494b809ad05b Mon Sep 17 00:00:00 2001 From: Darkcyankitty Date: Sat, 23 Aug 2025 12:22:33 +0300 Subject: [PATCH 3/3] Update i2pd.service --- contrib/i2pd.service | 8 -------- 1 file changed, 8 deletions(-) diff --git a/contrib/i2pd.service b/contrib/i2pd.service index 5ed3a211..99819ae1 100644 --- a/contrib/i2pd.service +++ b/contrib/i2pd.service @@ -34,17 +34,9 @@ LimitNOFILE=8192 # To enable write of coredump uncomment this #LimitCORE=infinity #hardening -ProtectHostname=true -ProtectKernelLogs=true ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true -ProtectProc=invisible -ProcSubset=pid -PrivateTmp=true -PrivateUsers=true -PrivateDevices=true -PrivateIPC=true NoNewPrivileges=true RestrictNamespaces=true ProtectSystem=full