i2pd/trunk/030-i2pd-systemd-service-hardening.patch

   1 --- a/contrib/i2pd.service
   2 +++ b/contrib/i2pd.service
   3 @@ -33,5 +33,31 @@ LimitNOFILE=4096
   4  # To enable write of coredump uncomment this
   5  #LimitCORE=infinity
   6
   7 +# Hardening options
   8 +PrivateTmp=true
   9 +ProtectSystem=strict
  10 +ProtectHome=true
  11 +PrivateDevices=true
  12 +ProtectKernelTunables=true
  13 +ProtectControlGroups=true
  14 +NoNewPrivileges=true
  15 +MemoryDenyWriteExecute=true
  16 +LockPersonality=true
  17 +SystemCallFilter=@system-service
  18 +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
  19 +ProtectHostname=true
  20 +ProtectClock=true
  21 +ProtectKernelLogs=true
  22 +ProtectKernelModules=true
  23 +ProtectProc=invisible
  24 +ProcSubset=pid
  25 +PrivateMounts=true
  26 +PrivateUsers=true
  27 +ReadWritePaths=/var/lib/i2pd /var/log/i2pd
  28 +RemoveIPC=true
  29 +RestrictRealtime=true
  30 +RestrictSUIDSGID=true
  31 +SystemCallArchitectures=native
  32 +
  33  [Install]
  34  WantedBy=multi-user.target