diff options
author | Sibren Vasse | 2023-07-11 14:20:20 +0200 |
---|---|---|
committer | Sibren Vasse | 2023-07-11 14:20:20 +0200 |
commit | a504653532316eb0dd837d06c1f81a6a251891c1 (patch) | |
tree | e85ad47b8feb4ea11c887470d92f043bc2667fbb | |
parent | 3dc47b8d6bad78df51d9b8d55f5c3951b3c8731d (diff) | |
download | aur-a504653532316eb0dd837d06c1f81a6a251891c1.tar.gz |
Implement systemd service security features
-rw-r--r-- | .SRCINFO | 2 | ||||
-rw-r--r-- | PKGBUILD | 2 | ||||
-rw-r--r-- | dnsproxy-adguard.service | 20 |
3 files changed, 22 insertions, 2 deletions
@@ -1,7 +1,7 @@ pkgbase = dnsproxy-adguard pkgdesc = Simple DNS proxy with DoH, DoT, and DNSCrypt support by AdguardTeam pkgver = 0.51.0 - pkgrel = 2 + pkgrel = 3 url = https://github.com/AdguardTeam/dnsproxy arch = x86_64 arch = aarch64 @@ -5,7 +5,7 @@ _projectname=dnsproxy pkgname=dnsproxy-adguard pkgver=0.51.0 -pkgrel=2 +pkgrel=3 pkgdesc="Simple DNS proxy with DoH, DoT, and DNSCrypt support by AdguardTeam" arch=('x86_64' 'aarch64') url="https://github.com/AdguardTeam/dnsproxy" diff --git a/dnsproxy-adguard.service b/dnsproxy-adguard.service index 8f079b8a2e98..77bfe3004d53 100644 --- a/dnsproxy-adguard.service +++ b/dnsproxy-adguard.service @@ -13,5 +13,25 @@ ExecStart=/usr/bin/dnsproxy-adguard -l $ADDRESS -p $PORT $UPSTREAMS $OTHER_PARAM CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=noaccess +ProtectSystem=strict +RestrictAddressFamilies=AF_UNIX AF_INET +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes + [Install] WantedBy=multi-user.target |