diff options
author | Markus Richter | 2020-04-29 17:58:53 +0200 |
---|---|---|
committer | Markus Richter | 2020-04-29 17:59:36 +0200 |
commit | 7f657a541fda4f2cf1c95d4bcbb590cf20eaaa88 (patch) | |
tree | 8e778a1827e59e4b141b9afb7e319e048236a4ac /bitwarden_rs.service | |
parent | 3372335a95034d3ba647fbd28252b4f67422708a (diff) | |
download | aur-7f657a541fda4f2cf1c95d4bcbb590cf20eaaa88.tar.gz |
Tell bitwarden_rs its version, harden service more
Diffstat (limited to 'bitwarden_rs.service')
-rw-r--r-- | bitwarden_rs.service | 39 |
1 files changed, 31 insertions, 8 deletions
diff --git a/bitwarden_rs.service b/bitwarden_rs.service index c8263ff33640..1786588d31cb 100644 --- a/bitwarden_rs.service +++ b/bitwarden_rs.service @@ -7,38 +7,61 @@ After=network.target # The user/group bitwarden_rs is run under. the working directory (see below) should allow write and read access to this user/group User=bitwarden_rs Group=bitwarden_rs + # The location of the .env file for configuration EnvironmentFile=/etc/bitwarden_rs.env + # The location of the compiled binary ExecStart=/usr/bin/bitwarden_rs + # Set reasonable connection and process limits LimitNOFILE=1048576 LimitNPROC=64 +# Only allow writes to the following directory and set it to the working directory (user and password data are stored here) +WorkingDirectory=/var/lib/bitwarden_rs +ReadWritePaths=/var/lib/bitwarden_rs + # Prevent bitwarden_rs from doing anything stupid and/or unneccessary. -PrivateTmp=true -PrivateDevices=true +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes + +PrivateTmp=yes +PrivateDevices=yes -ProtectHome=true +ProtectHome=yes ProtectSystem=strict ProtectKernelTunables=yes ProtectKernelModules=yes +ProtectKernelLogs=yes ProtectControlGroups=yes +ProtectHostname=yes +ProtectClock=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes + +RemoveIPC=yes +UMask=0077 SystemCallArchitectures=native SystemCallFilter=@system-service -RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 - -# Only allow writes to the following directory and set it to the working directory (user and password data are stored here) -WorkingDirectory=/var/lib/bitwarden_rs -ReadWriteDirectories=/var/lib/bitwarden_rs +SystemCallFilter=~@resources +SystemCallFilter=~@privileged # Allow bitwarden_rs to bind ports in the range of 0-1024 AmbientCapabilities=CAP_NET_BIND_SERVICE # Restrict bitwarden_rs to only this capability CapabilityBoundingSet=CAP_NET_BIND_SERVICE +# If bitwarden_rs is run at ports >1024, you can enable (remove the leading '#' of) +# the following lines: +#PrivateUsers=yes +#CapabilityBoundingSet= +#AmbientCapabilities= + [Install] WantedBy=multi-user.target |