Sandboxing

author: Ben Mitchell 2022-12-24 14:20:21 +0000
committer: Ben Mitchell 2022-12-24 14:20:21 +0000
commit: 04215bad4e9ddc4cd222b4161e396a709b135aa7 (patch)
tree: 396e40d5db905af1a0073f0f14d61313749bc35a /muse-hub.service
parent: 5b8eea5cdbaaa926aea047590c83127b1cec2baa (diff)
download: aur-04215bad4e9ddc4cd222b4161e396a709b135aa7.tar.gz
1 files changed, 37 insertions, 0 deletions
diff --git a/muse-hub.service b/muse-hub.service
index 7e1cef2b3630..273e92f638ce 100644
--- a/muse-hub.service
+++ b/muse-hub.service
@@ -11,5 +11,42 @@ ExecStart=/usr/bin/muse-hub-service
 Restart=always
 RestartSec=5
 WorkingDirectory=/opt/muse-hub
+
+ReadWritePaths=/tmp /srv/muse-hub
+
+TemporaryFileSystem=/opt:ro /srv:rw
+BindReadOnlyPaths=/opt/muse-hub
+BindPaths=-/srv/muse-hub /tmp
+
+NoNewPrivileges=yes
+PrivateTmp=no
+PrivateDevices=yes
+PrivateUsers=yes
+PrivateMounts=yes
+DevicePolicy=closed
+
+ProtectSystem=strict
+ProtectHome=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+ProtectHostname=yes
+ProtectProc=noaccess
+
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
+CapabilityBoundingSet=
+AmbientCapabilities=
+
+MemoryDenyWriteExecute=no
+LockPersonality=yes
+
+IPAddressDeny=10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10,fc00::/7,fd00::/8,fec0::/10,localhost,link-local,multicast
+
 [Install]
 WantedBy=multi-user.target
 \ No newline at end of file
author	Ben Mitchell	2022-12-24 14:20:21 +0000
committer	Ben Mitchell	2022-12-24 14:20:21 +0000
commit	04215bad4e9ddc4cd222b4161e396a709b135aa7 (patch)
tree	396e40d5db905af1a0073f0f14d61313749bc35a /muse-hub.service
parent	5b8eea5cdbaaa926aea047590c83127b1cec2baa (diff)
download	aur-04215bad4e9ddc4cd222b4161e396a709b135aa7.tar.gz