Implement systemd service security features

author: Sibren Vasse 2023-07-11 14:20:20 +0200
committer: Sibren Vasse 2023-07-11 14:20:20 +0200
commit: a504653532316eb0dd837d06c1f81a6a251891c1 (patch)
tree: e85ad47b8feb4ea11c887470d92f043bc2667fbb /dnsproxy-adguard.service
parent: 3dc47b8d6bad78df51d9b8d55f5c3951b3c8731d (diff)
download: aur-a504653532316eb0dd837d06c1f81a6a251891c1.tar.gz
1 files changed, 20 insertions, 0 deletions
diff --git a/dnsproxy-adguard.service b/dnsproxy-adguard.service
index 8f079b8a2e98..77bfe3004d53 100644
--- a/dnsproxy-adguard.service
+++ b/dnsproxy-adguard.service
@@ -13,5 +13,25 @@ ExecStart=/usr/bin/dnsproxy-adguard -l $ADDRESS -p $PORT $UPSTREAMS $OTHER_PARAM
 CapabilityBoundingSet=CAP_NET_BIND_SERVICE
 AmbientCapabilities=CAP_NET_BIND_SERVICE
 
+DevicePolicy=closed
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateTmp=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=noaccess
+ProtectSystem=strict
+RestrictAddressFamilies=AF_UNIX AF_INET
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
 [Install]
 WantedBy=multi-user.target
author	Sibren Vasse	2023-07-11 14:20:20 +0200
committer	Sibren Vasse	2023-07-11 14:20:20 +0200
commit	a504653532316eb0dd837d06c1f81a6a251891c1 (patch)
tree	e85ad47b8feb4ea11c887470d92f043bc2667fbb /dnsproxy-adguard.service
parent	3dc47b8d6bad78df51d9b8d55f5c3951b3c8731d (diff)
download	aur-a504653532316eb0dd837d06c1f81a6a251891c1.tar.gz