CHTJonas

safe systemd-exec config

Mar 10th, 2021
47
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. [Unit]
  2. Description=blah blah blah
  3. After=network.target
  4.  
  5. [Service]
  6. User=blah
  7. Group=blah
  8. Type=simple
  9. WorkingDirectory=/var/lib/blah
  10. ExecStart=/usr/local/bin/blah
  11. Restart=always
  12.  
  13. # Security
  14. NoNewPrivileges=yes
  15.  
  16. # Process properties
  17. LimitFSIZE=10M:10M
  18. KeyringMode=private
  19.  
  20. # Sandboxing
  21. ProtectHome=yes
  22. ProtectSystem=strict
  23. ReadWritePaths=/var/lib/blah
  24. PrivateTmp=yes
  25. PrivateDevices=yes
  26. PrivateNetwork=true
  27. ProtectHostname=true
  28. ProtectClock=true
  29. ProtectKernelTunables=true
  30. ProtectKernelModules=true
  31. ProtectKernelLogs=true
  32. ProtectControlGroups=true
  33. MemoryDenyWriteExecute=true
  34. RestrictRealtime=true
  35. RestrictSUIDSGID=true
  36.  
  37. # System call filtering
  38. SystemCallFilter=@system-service
  39.  
  40. [Install]
  41. WantedBy=multi-user.target
RAW Paste Data