harden webui service

Signed-off-by: Oleksandr Natalenko <oleksandr@natalenko.name>
author: Oleksandr Natalenko 2020-04-12 18:36:28 +0200
committer: Oleksandr Natalenko 2020-04-12 18:36:28 +0200
commit: 62445880808a7048e710d4f0e47fd54e47dcc69d (patch)
tree: b29b0d8e83df15b74d66df537b7828bb0a4849d3 /bandwidthd-webui.service
parent: d40a717fdef60d6e92d788f12e624309a8d89a9d (diff)
download: aur-62445880808a7048e710d4f0e47fd54e47dcc69d.tar.gz
1 files changed, 26 insertions, 1 deletions
diff --git a/bandwidthd-webui.service b/bandwidthd-webui.service
index b77740cdd931..919fb42d5242 100644
--- a/bandwidthd-webui.service
+++ b/bandwidthd-webui.service
@@ -8,8 +8,33 @@ User=bandwidthd
 Group=bandwidthd
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+PrivateDevices=true
+NoNewPrivileges=true
+PrivateTmp=true
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectSystem=strict
+StateDirectory=bandwidthd
+RuntimeDirectory=bandwidthd
+ConfigurationDirectory=bandwidthd
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+RestrictRealtime=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+UMask=066
+ProtectHostname=true
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
 ExecStart=/usr/bin/nginx -c /etc/bandwidthd/bandwidthd-webui.conf
-PIDFile=/run/bandwidthd/bandwidthd-webui.pid
+PIDFile=bandwidthd/bandwidthd-webui.pid
 
 [Install]
 WantedBy=bandwidthd.service
author	Oleksandr Natalenko	2020-04-12 18:36:28 +0200
committer	Oleksandr Natalenko	2020-04-12 18:36:28 +0200
commit	62445880808a7048e710d4f0e47fd54e47dcc69d (patch)
tree	b29b0d8e83df15b74d66df537b7828bb0a4849d3 /bandwidthd-webui.service
parent	d40a717fdef60d6e92d788f12e624309a8d89a9d (diff)
download	aur-62445880808a7048e710d4f0e47fd54e47dcc69d.tar.gz