diff options
Diffstat (limited to 'portmaster.service')
-rw-r--r-- | portmaster.service | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/portmaster.service b/portmaster.service new file mode 100644 index 000000000000..af25a314e725 --- /dev/null +++ b/portmaster.service @@ -0,0 +1,44 @@ +[Unit] +Description=Portmaster by Safing +Documentation=https://safing.io +Documentation=https://docs.safing.io +Before=nss-lookup.target network.target shutdown.target +After=systemd-networkd.service +Conflicts=shutdown.target +Conflicts=firewalld.service +Wants=nss-lookup.target + +[Service] +Type=simple +Restart=on-failure +RestartSec=10 +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateTmp=yes +PIDFile=/opt/safing/portmaster/core-lock.pid +Environment=LOGLEVEL=info +Environment=PORTMASTER_ARGS= +EnvironmentFile=-/etc/default/portmaster +ProtectSystem=true +#ReadWritePaths=/var/lib/portmaster +#ReadWritePaths=/run/xtables.lock +RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 +RestrictNamespaces=yes +# In future version portmaster will require access to user home +# directories to verify application permissions. +ProtectHome=read-only +ProtectKernelTunables=yes +ProtectKernelLogs=yes +ProtectControlGroups=yes +PrivateDevices=yes +AmbientCapabilities=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid +CapabilityBoundingSet=cap_chown cap_kill cap_net_admin cap_net_bind_service cap_net_broadcast cap_net_raw cap_sys_module cap_sys_ptrace cap_dac_override cap_fowner cap_fsetid +# SystemCallArchitectures=native +# SystemCallFilter=@system-service @module +# SystemCallErrorNumber=EPERM +ExecStart=/opt/safing/portmaster/portmaster-start --data /opt/safing/portmaster core -- $PORTMASTER_ARGS +ExecStopPost=-/opt/safing/portmaster/portmaster-start recover-iptables + +[Install] +WantedBy=multi-user.target |