upgpkg: cloudflared 2020.11.10-2

harden systemd service

1 files changed, 37 insertions, 6 deletions

diff --git a/cloudflared.service b/cloudflared.service
index f61ec943d2f0..a1d699939729 100644
--- a/cloudflared.service
+++ b/cloudflared.service
@@ -4,19 +4,50 @@ After=network.target
 Wants=network.target
 
 [Service]
-AmbientCapabilities=CAP_NET_BIND_SERVICE
+Type=notify
+ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/config.yml --no-autoupdate
 User=cloudflared
 Group=cloudflared
-Type=simple
-ExecStart=/usr/bin/cloudflared --no-autoupdate
 Restart=on-failure
-PrivateTmp=true
-ProtectSystem=full
+RestartSec=5s
+TimeoutStartSec=0
+
+# Allow cloudflared to bind ports in the range of 0-1024 and restrict it to
+# that capability
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+
+# If cloudflared is run at ports >1024, you should apply these options via a
+# drop-in file
+#CapabilityBoundingSet=
+#AmbientCapabilities=
+#PrivateUsers=yes
+
+NoNewPrivileges=true
+LimitNOFILE=1048576
+UMask=0077
+
+ProtectSystem=strict
 ProtectHome=true
+PrivateTmp=true
 PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
 ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
 ProtectControlGroups=true
-NoNewPrivileges=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+RestrictNamespaces=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+RemoveIPC=true
+
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
 
 [Install]
 WantedBy=multi-user.target