Fix package, harden systemd units

author: Xiretza 2021-02-01 11:56:03 +0100
committer: Xiretza 2021-02-01 11:56:03 +0100
commit: f2efd37fddb3684b820e645550d419546d64a790 (patch)
tree: b4dd9e285e2bbca2f9fd1e6a45da926fb7247cca /vlmcsd.service
parent: cec9ba50198e890734540d324805c80aa6fe69f1 (diff)
download: aur-f2efd37fddb3684b820e645550d419546d64a790.tar.gz
1 files changed, 27 insertions, 1 deletions
diff --git a/vlmcsd.service b/vlmcsd.service
index e499d0880938..8eaf331274b0 100644
--- a/vlmcsd.service
+++ b/vlmcsd.service
@@ -2,8 +2,34 @@
 Description=KMS Emulator
 
 [Service]
+SystemCallFilter=@system-service
+SystemCallFilter=~@privileged @resources
+SystemCallArchitectures=native
+RestrictAddressFamilies=AF_INET AF_INET6
+RestrictNamespaces=true
+CapabilityBoundingSet=
+NoNewPrivileges=true
+LockPersonality=true
+RestrictRealtime=true
+MemoryDenyWriteExecute=true
+
+ProtectHome=true
+ProtectSystem=strict
+PrivateDevices=true
+PrivateUsers=true
+ProtectClock=true
+ProtectProc=invisible
+ProcSubset=pid
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+DevicePolicy=closed
+
+DynamicUser=true
+
 Type=forking
-User=nobody
 ExecStart=/usr/bin/vlmcsd
 
 [Install]
author	Xiretza	2021-02-01 11:56:03 +0100
committer	Xiretza	2021-02-01 11:56:03 +0100
commit	f2efd37fddb3684b820e645550d419546d64a790 (patch)
tree	b4dd9e285e2bbca2f9fd1e6a45da926fb7247cca /vlmcsd.service
parent	cec9ba50198e890734540d324805c80aa6fe69f1 (diff)
download	aur-f2efd37fddb3684b820e645550d419546d64a790.tar.gz