diff options
author | Martin/Geno | 2019-10-26 17:02:09 +0200 |
---|---|---|
committer | Martin/Geno | 2019-10-26 17:02:09 +0200 |
commit | 20e7fe629b82bbcf55d14c2c1e04e923a4750ef4 (patch) | |
tree | 9bb136367aa619db2e1af802660cac27b6353c92 /jool_siit.service | |
parent | 25aa0c45ff0e4f72372fe29f3fde64aa932fc0d2 (diff) | |
download | aur-20e7fe629b82bbcf55d14c2c1e04e923a4750ef4.tar.gz |
add systemd files
Diffstat (limited to 'jool_siit.service')
-rw-r--r-- | jool_siit.service | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/jool_siit.service b/jool_siit.service new file mode 100644 index 000000000000..a2cfecc787e7 --- /dev/null +++ b/jool_siit.service @@ -0,0 +1,38 @@ +[Unit] +Description=Stateless IP/ICMP Translator +Documentation=https://jool.mx/en/documentation.html +After=network.target +ConditionPathExists=/etc/jool/jool_siit.conf + +[Service] +Type=oneshot +RemainAfterExit=yes + +ExecStartPre=/sbin/modprobe jool_siit +ExecStart=/usr/bin/jool_siit file handle /etc/jool/jool_siit.conf --force +ExecStop=/usr/bin/jool_siit -f /etc/jool/jool_siit.conf instance remove +# Do not modprobe -r; some other instance could be running. + +# -- Security Section -- +# Long story short: All the jool clients need is read access on the config +# files, and the Netlink socket to kernelspace. +# The ExecStartPre above also needs to be able to modify kernel modules. +# Everything else should probably be blocked. + +CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +InaccessiblePaths=/tmp /dev +ProtectKernelTunables=yes +ProtectKernelModules=no +ProtectControlGroups=yes +RestrictAddressFamilies=AF_NETLINK +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |