diff options
Diffstat (limited to 'jool.service')
-rw-r--r-- | jool.service | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/jool.service b/jool.service new file mode 100644 index 000000000000..0ed16b4f503c --- /dev/null +++ b/jool.service @@ -0,0 +1,39 @@ +[Unit] +Description=Stateful NAT64 +Documentation=https://jool.mx/en/documentation.html +After=network.target + +[Service] +Type=oneshot +RemainAfterExit=yes + +ExecStartPre=/sbin/modprobe jool +ExecStart=/usr/bin/jool file handle /etc/jool/jool.conf +ExecStop=/usr/bin/jool -f /etc/jool/jool.conf instance remove +# Do not modprobe -r; some other instance could be running. + +ConditionPathExists=/etc/jool/jool.conf + +# -- Security Section -- +# Long story short: All the jool clients need is read access on the config +# files, and the Netlink socket to kernelspace. +# The ExecStartPre above also needs to be able to modify kernel modules. +# Everything else should probably be blocked. + +CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN +NoNewPrivileges=yes +ProtectSystem=strict +ProtectHome=yes +InaccessiblePaths=/tmp /dev +ProtectKernelTunables=yes +ProtectKernelModules=no +ProtectControlGroups=yes +RestrictAddressFamilies=AF_NETLINK +RestrictNamespaces=yes +LockPersonality=yes +MemoryDenyWriteExecute=yes +RestrictRealtime=yes +SystemCallArchitectures=native + +[Install] +WantedBy=multi-user.target |