diff options
author | Sibren Vasse | 2023-07-11 14:20:20 +0200 |
---|---|---|
committer | Sibren Vasse | 2023-07-11 14:20:20 +0200 |
commit | a504653532316eb0dd837d06c1f81a6a251891c1 (patch) | |
tree | e85ad47b8feb4ea11c887470d92f043bc2667fbb /dnsproxy-adguard.service | |
parent | 3dc47b8d6bad78df51d9b8d55f5c3951b3c8731d (diff) | |
download | aur-a504653532316eb0dd837d06c1f81a6a251891c1.tar.gz |
Implement systemd service security features
Diffstat (limited to 'dnsproxy-adguard.service')
-rw-r--r-- | dnsproxy-adguard.service | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/dnsproxy-adguard.service b/dnsproxy-adguard.service index 8f079b8a2e98..77bfe3004d53 100644 --- a/dnsproxy-adguard.service +++ b/dnsproxy-adguard.service @@ -13,5 +13,25 @@ ExecStart=/usr/bin/dnsproxy-adguard -l $ADDRESS -p $PORT $UPSTREAMS $OTHER_PARAM CapabilityBoundingSet=CAP_NET_BIND_SERVICE AmbientCapabilities=CAP_NET_BIND_SERVICE +DevicePolicy=closed +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateTmp=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=noaccess +ProtectSystem=strict +RestrictAddressFamilies=AF_UNIX AF_INET +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes + [Install] WantedBy=multi-user.target |