blob: c8168223f9a80ab0990291565cdcccc863d457f1 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
--- a/contrib/i2pd.service
+++ b/contrib/i2pd.service
@@ -33,5 +33,31 @@ LimitNOFILE=4096
# To enable write of coredump uncomment this
#LimitCORE=infinity
+# Hardening options
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectControlGroups=true
+NoNewPrivileges=true
+MemoryDenyWriteExecute=true
+LockPersonality=true
+SystemCallFilter=@system-service
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectProc=invisible
+ProcSubset=pid
+PrivateMounts=true
+PrivateUsers=true
+ReadWritePaths=/var/lib/i2pd /var/log/i2pd
+RemoveIPC=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+
[Install]
WantedBy=multi-user.target
|