diff options
Diffstat (limited to 'icecast-kh.service')
-rw-r--r-- | icecast-kh.service | 34 |
1 files changed, 33 insertions, 1 deletions
diff --git a/icecast-kh.service b/icecast-kh.service index 5ca58dd1ebb8..24eab8165e25 100644 --- a/icecast-kh.service +++ b/icecast-kh.service @@ -3,9 +3,41 @@ Description=Icecast Network Audio Streaming Server (KH Version) After=network.target [Service] -Type=simple +CapabilityBoundingSet=~CAP_SETUID CAP_SETGID CAP_SETPCAP CAP_SYS_ADMIN CAP_SYS_PTRACE CAP_KILL CAP_SYS_BOOT CAP_LINUX_IMMUTABLE CAP_CHOWN CAP_FSETID CAP_SETFCAP CAP_FOWNER CAP_IPC_OWNER CAP_NET_ADMIN CAP_IPC_LOCK CAP_SYS_CHROOT CAP_BLOCK_SUSPEND CAP_LEASE CAP_SYS_PACCT CAP_SYS_TTY_CONFIG CAP_WAKE_ALARM CAP_SYS_NICE CAP_SYS_RESOURCE CAP_DAC_OVERRIDE CAP_DAC_READ_SEARCH CAP_AUDIT_CONTROL CAP_AUDIT_READ CAP_AUDIT_WRITE CAP_MAC_ADMIN CAP_MAC_OVERRIDE CAP_NET_BIND_SERVICE CAP_NET_BROADCAST CAP_NET_RAW ExecStart=/usr/bin/icecast -c /etc/icecast.xml ExecReload=/bin/kill -HUP $MAINPID +Group=icecast +IPAccounting=yes +LogsDirectory=icecast +LockPersonality=true +MemoryDenyWriteExecute=true +NoNewPrivileges=true +PrivateDevices=true +PrivateTmp=true +PrivateUsers=true +ProtectClock=true +ProtectControlGroups=true +ProtectHome=true +ProtectHostname=true +ProtectKernelLogs=true +ProtectKernelModules=true +ProtectKernelTunables=true +ProtectSystem=strict +ReadOnlyPaths=/etc/icecast.xml +RemoveIPC=true +RestrictAddressFamilies=~AF_AX25 AF_IPX AF_APPLETALK AF_X25 AF_DECnet AF_KEY AF_NETLINK AF_PACKET AF_RDS AF_PPPOX AF_LLC AF_IB AF_MPLS AF_CAN AF_TIPC AF_BLUETOOTH AF_ALG AF_VSOCK AF_KCM AF_XDP AF_UNIX +RestrictAddressFamilies=AF_INET AF_INET6 +RestrictNamespaces=true +RestrictRealtime=true +RestrictSUIDSGID=true +RuntimeDirectory=icecast +StateDirectory=icecast +SystemCallArchitectures=native +SystemCallFilter=@system-service +SystemCallFilter=~@resources @privileged +Type=exec +UMask=177 +User=icecast [Install] WantedBy=multi-user.target |