Add a bunch of hardening to the systemd unit

I tested this locally, it's working on my machine™ Nothing fancy, no new privileges, private stuff (/tmp, …), no exotic devices/access/…, … Signed-off-by: jvoisin <julien.voisin@dustri.org> Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
5 years ago · ab92f83c1f
parent e76d44d957
commit ab92f83c1f
1 changed files with 25 additions and 0 deletions
--- a/contrib/airsonic.service
+++ b/contrib/airsonic.service
@ -21,6 +21,31 @@ ExecStart=/usr/bin/java \
 User=airsonic
 Group=airsonic

+# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+# for details
+DevicePolicy=closed
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectControlGroups=yes
+ProtectHome=true
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=yes
+RestrictRealtime=yes
+SystemCallFilter=~@clock,@debug,@module,@mount,@obsolete,@privileged,@reboot,@setuid,@swap
+ProtectSystem=full
+
+# You can uncomment the following line if you don't want airsonic to be able to 
+# write anything on your filesystem outside of AIRSONIC_HOME.
+# Don't forget to remove the other `ProtectSystem` line above.
+#ProtectSystem=strict
+#ReadWritePaths=/var/airsonic
+
+
 [Install]
 WantedBy=multi-user.target