diff options
author | George Rawlinson | 2020-11-25 20:41:53 +1300 |
---|---|---|
committer | George Rawlinson | 2020-11-25 20:41:53 +1300 |
commit | 762bc40eccc81cda0075017e7c7549fc8aa68554 (patch) | |
tree | 4f5c25b7919300dd3072313162d1d9bdef001350 /cloudflared.service | |
parent | 6bebc6f42ed6b7803755aeac02016eb4246bf225 (diff) | |
download | aur-762bc40eccc81cda0075017e7c7549fc8aa68554.tar.gz |
upgpkg: cloudflared 2020.11.10-2
harden systemd service
Diffstat (limited to 'cloudflared.service')
-rw-r--r-- | cloudflared.service | 43 |
1 files changed, 37 insertions, 6 deletions
diff --git a/cloudflared.service b/cloudflared.service index f61ec943d2f0..a1d699939729 100644 --- a/cloudflared.service +++ b/cloudflared.service @@ -4,19 +4,50 @@ After=network.target Wants=network.target [Service] -AmbientCapabilities=CAP_NET_BIND_SERVICE +Type=notify +ExecStart=/usr/bin/cloudflared --config /etc/cloudflared/config.yml --no-autoupdate User=cloudflared Group=cloudflared -Type=simple -ExecStart=/usr/bin/cloudflared --no-autoupdate Restart=on-failure -PrivateTmp=true -ProtectSystem=full +RestartSec=5s +TimeoutStartSec=0 + +# Allow cloudflared to bind ports in the range of 0-1024 and restrict it to +# that capability +CapabilityBoundingSet=CAP_NET_BIND_SERVICE +AmbientCapabilities=CAP_NET_BIND_SERVICE + +# If cloudflared is run at ports >1024, you should apply these options via a +# drop-in file +#CapabilityBoundingSet= +#AmbientCapabilities= +#PrivateUsers=yes + +NoNewPrivileges=true +LimitNOFILE=1048576 +UMask=0077 + +ProtectSystem=strict ProtectHome=true +PrivateTmp=true PrivateDevices=true +ProtectHostname=true +ProtectClock=true ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true ProtectControlGroups=true -NoNewPrivileges=true +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +RestrictNamespaces=true +LockPersonality=true +MemoryDenyWriteExecute=true +RestrictRealtime=true +RestrictSUIDSGID=true +RemoveIPC=true + +SystemCallFilter=@system-service +SystemCallFilter=~@privileged @resources +SystemCallArchitectures=native [Install] WantedBy=multi-user.target |