commit 983e696bd6c77d06c79599b98185ed91c5ed62db parent 8cc70a14d673ea5811ef0d6cb93fddb945a66962 Author: OniriCorpe <oniricorpe@disroot.org> Date: Mon, 28 Mar 2022 13:37:16 +0200 [feature/security] Add systemd sandboxing options to harden security (#440) Diffstat:
| M | example/gotosocial.service | | | 33 | +++++++++++++++++++++++++++++++++ |
1 file changed, 33 insertions(+), 0 deletions(-)
diff --git a/example/gotosocial.service b/example/gotosocial.service @@ -17,6 +17,39 @@ Restart=on-failure ExecStart=/gotosocial/gotosocial --config-path config.yaml server start WorkingDirectory=/gotosocial +StandardOutput=append:/var/log/gotosocial/gotosocial.log +StandardError=inherit + + +# Sandboxing options to harden security +# Details for these options: https://www.freedesktop.org/software/systemd/man/systemd.exec.html +NoNewPrivileges=yes +PrivateTmp=yes +PrivateDevices=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=yes +RestrictRealtime=yes +DevicePolicy=closed +ProtectSystem=full +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +LockPersonality=yes +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap + +# Denying access to capabilities that should not be relevant +# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html +CapabilityBoundingSet=~CAP_RAWIO CAP_MKNOD +CapabilityBoundingSet=~CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE +CapabilityBoundingSet=~CAP_SYS_BOOT CAP_SYS_TIME CAP_SYS_MODULE CAP_SYS_PACCT +CapabilityBoundingSet=~CAP_LEASE CAP_LINUX_IMMUTABLE CAP_IPC_LOCK +CapabilityBoundingSet=~CAP_BLOCK_SUSPEND CAP_WAKE_ALARM +CapabilityBoundingSet=~CAP_SYS_TTY_CONFIG +CapabilityBoundingSet=~CAP_MAC_ADMIN CAP_MAC_OVERRIDE +CapabilityBoundingSet=~CAP_NET_ADMIN CAP_NET_BROADCAST CAP_NET_RAW +CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_SYSLOG + + [Install] WantedBy=default.target