blob: 3b0aece4aa3cb4dcdf62e10c01d9d12b5107f832 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
[Unit]
Description=Stateless IP/ICMP Translator
Documentation=https://jool.mx/en/documentation.html
After=network.target
[Service]
Type=oneshot
RemainAfterExit=yes
ExecStartPre=/sbin/modprobe jool_siit
ExecStart=/usr/bin/jool_siit file handle /etc/jool/jool_siit.conf
ExecStop=/usr/bin/jool_siit -f /etc/jool/jool_siit.conf instance remove
# Do not modprobe -r; some other instance could be running.
ConditionPathExists=/etc/jool/jool_siit.conf
# -- Security Section --
# Long story short: All the jool clients need is read access on the config
# files, and the Netlink socket to kernelspace.
# The ExecStartPre above also needs to be able to modify kernel modules.
# Everything else should probably be blocked.
CapabilityBoundingSet=CAP_SYS_MODULE CAP_NET_ADMIN
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
InaccessiblePaths=/tmp /dev
ProtectKernelTunables=yes
ProtectKernelModules=no
ProtectControlGroups=yes
RestrictAddressFamilies=AF_NETLINK
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
SystemCallArchitectures=native
[Install]
WantedBy=multi-user.target
|