diff options
author | Ben Mitchell | 2022-12-24 14:20:21 +0000 |
---|---|---|
committer | Ben Mitchell | 2022-12-24 14:20:21 +0000 |
commit | 04215bad4e9ddc4cd222b4161e396a709b135aa7 (patch) | |
tree | 396e40d5db905af1a0073f0f14d61313749bc35a /muse-hub.service | |
parent | 5b8eea5cdbaaa926aea047590c83127b1cec2baa (diff) | |
download | aur-04215bad4e9ddc4cd222b4161e396a709b135aa7.tar.gz |
Sandboxing
Diffstat (limited to 'muse-hub.service')
-rw-r--r-- | muse-hub.service | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/muse-hub.service b/muse-hub.service index 7e1cef2b3630..273e92f638ce 100644 --- a/muse-hub.service +++ b/muse-hub.service @@ -11,5 +11,42 @@ ExecStart=/usr/bin/muse-hub-service Restart=always RestartSec=5 WorkingDirectory=/opt/muse-hub + +ReadWritePaths=/tmp /srv/muse-hub + +TemporaryFileSystem=/opt:ro /srv:rw +BindReadOnlyPaths=/opt/muse-hub +BindPaths=-/srv/muse-hub /tmp + +NoNewPrivileges=yes +PrivateTmp=no +PrivateDevices=yes +PrivateUsers=yes +PrivateMounts=yes +DevicePolicy=closed + +ProtectSystem=strict +ProtectHome=yes +ProtectClock=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +ProtectHostname=yes +ProtectProc=noaccess + +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes + +CapabilityBoundingSet= +AmbientCapabilities= + +MemoryDenyWriteExecute=no +LockPersonality=yes + +IPAddressDeny=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10,fc00::/7,fd00::/8,fec0::/10,localhost,link-local,multicast + [Install] WantedBy=multi-user.target
\ No newline at end of file |