MightyPork
/
airsonic-custom
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add a bunch of hardening to the systemd unit

Browse Source 
I tested this locally, it's working on my machine™
Nothing fancy, no new privileges, private stuff (/tmp, …),
no exotic devices/access/…, …

Signed-off-by: jvoisin <julien.voisin@dustri.org>
Signed-off-by: Andrew DeMaria <lostonamountain@gmail.com>
master
jvoisin 6 years ago committed by Andrew DeMaria
parent e76d44d957
commit ab92f83c1f
No known key found for this signature in database
GPG Key ID: 0A3F5E91F8364EDF
1 changed files with 25 additions and 0 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 25
      contrib/airsonic.service

25
contrib/airsonic.service
Unescape View File

@ -21,6 +21,31 @@ ExecStart=/usr/bin/java \
User=airsonic User=airsonic
Group=airsonic Group=airsonic
# See https://www.freedesktop.org/software/systemd/man/systemd.exec.html
# for details
DevicePolicy=closed
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateTmp=yes
PrivateUsers=yes
ProtectControlGroups=yes
ProtectHome=true
ProtectKernelModules=yes
ProtectKernelTunables=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
SystemCallFilter=~@clock,@debug,@module,@mount,@obsolete,@privileged,@reboot,@setuid,@swap
ProtectSystem=full
# You can uncomment the following line if you don't want airsonic to be able to
# write anything on your filesystem outside of AIRSONIC_HOME.
# Don't forget to remove the other `ProtectSystem` line above.
#ProtectSystem=strict
#ReadWritePaths=/var/airsonic
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

Write Preview
Loading…
Cancel
Save