diff options
author | Markus Richter | 2020-01-06 15:22:42 +0100 |
---|---|---|
committer | Markus Richter | 2020-01-06 15:22:42 +0100 |
commit | 4893113c97aab6aaf07951803e9bdd95eb1faa6a (patch) | |
tree | 681eaf8981d31867864743be36ba0720b558ba11 /bitwarden_rs.service | |
parent | 0c1ba91d01f4c9469dd49ce9cd451bc447803dcb (diff) | |
download | aur-4893113c97aab6aaf07951803e9bdd95eb1faa6a.tar.gz |
+ declarative user+data folder, clean up .install
- apply changes to the systemd config from Siosm (https://github.com/Siosm/archlinux-bitwarden_rs-postgresql/commit/8862da33b998059ba593e17052b03b0b9d457ad6)
- harden .service file some more
- add sysusers and tmpfiles integration
- remove unneccessary daemon-reloading (is triggered by pacman anyway) in .install file
- make restart reminder on update smaller
Diffstat (limited to 'bitwarden_rs.service')
-rw-r--r-- | bitwarden_rs.service | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/bitwarden_rs.service b/bitwarden_rs.service index 458600a27ea6..c8263ff33640 100644 --- a/bitwarden_rs.service +++ b/bitwarden_rs.service @@ -14,16 +14,31 @@ ExecStart=/usr/bin/bitwarden_rs # Set reasonable connection and process limits LimitNOFILE=1048576 LimitNPROC=64 -# Isolate bitwarden_rs from the rest of the system + +# Prevent bitwarden_rs from doing anything stupid and/or unneccessary. PrivateTmp=true PrivateDevices=true + ProtectHome=true ProtectSystem=strict +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes + +RestrictNamespaces=yes + +SystemCallArchitectures=native +SystemCallFilter=@system-service +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + # Only allow writes to the following directory and set it to the working directory (user and password data are stored here) WorkingDirectory=/var/lib/bitwarden_rs ReadWriteDirectories=/var/lib/bitwarden_rs + # Allow bitwarden_rs to bind ports in the range of 0-1024 AmbientCapabilities=CAP_NET_BIND_SERVICE +# Restrict bitwarden_rs to only this capability +CapabilityBoundingSet=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target |