diff options
author | Markus Richter | 2020-01-05 23:55:10 +0100 |
---|---|---|
committer | Markus Richter | 2020-01-06 00:12:31 +0100 |
commit | c729d85279c01843d23457463b1309f6a732524f (patch) | |
tree | 22f2302c925b929cfe9e3d1787e79938bac23a1a /bitwarden_rs.service | |
parent | 17dfecebc3a391e50b5d8d63826f3b7678f78391 (diff) | |
download | aur-c729d85279c01843d23457463b1309f6a732524f.tar.gz |
1.13.1
- apply changes to the systemd config from Siosm
- revert cargo test patches
- make restart reminder on update smaller
- remove unneccessary daemon-reloading (is triggered by pacman anyway)
Upstream Changelog:
- New collapsed log messaging, filtering the useless stuff like static file accesses and removing duplicate error messages. To get a more complete logging, use a LOG_LEVEL value of debug or trace.
- Fix crash when cipher page points to huge file
- Addded config option to change client IP header, IP_HEADER, by default it's X-Client-IP for backwards compat reasons.
- Printed current server time when failing TOTP, for easy debugging
- Protected websockets server against panics
- Add a logout button on the admin page
- Add endpoint to delete specific U2F key
- Updated dependencies
Diffstat (limited to 'bitwarden_rs.service')
-rw-r--r-- | bitwarden_rs.service | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/bitwarden_rs.service b/bitwarden_rs.service index 458600a27ea6..c8263ff33640 100644 --- a/bitwarden_rs.service +++ b/bitwarden_rs.service @@ -14,16 +14,31 @@ ExecStart=/usr/bin/bitwarden_rs # Set reasonable connection and process limits LimitNOFILE=1048576 LimitNPROC=64 -# Isolate bitwarden_rs from the rest of the system + +# Prevent bitwarden_rs from doing anything stupid and/or unneccessary. PrivateTmp=true PrivateDevices=true + ProtectHome=true ProtectSystem=strict +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes + +RestrictNamespaces=yes + +SystemCallArchitectures=native +SystemCallFilter=@system-service +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 + # Only allow writes to the following directory and set it to the working directory (user and password data are stored here) WorkingDirectory=/var/lib/bitwarden_rs ReadWriteDirectories=/var/lib/bitwarden_rs + # Allow bitwarden_rs to bind ports in the range of 0-1024 AmbientCapabilities=CAP_NET_BIND_SERVICE +# Restrict bitwarden_rs to only this capability +CapabilityBoundingSet=CAP_NET_BIND_SERVICE [Install] WantedBy=multi-user.target |