blob: ac36f30c0725189299dd9a9a2d14a84bcfc503e4 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
[Unit]
Description=XDPDropper
After=network-online.target
[Service]
EnvironmentFile=/etc/xdpdropper.conf
ExecStart=/usr/bin/xdpdropper
Type=simple
# hardening - unrestricted or partially restricted
CapabilityBoundingSet=CAP_SYS_ADMIN
DynamicUser=false
IPAddressAllow=localhost
PrivateNetwork=false
PrivateUsers=false
ProtectProc=false
RestrictAddressFamilies=AF_INET AF_NETLINK
RestrictNamespaces=net
SystemCallFilter=@privileged @system-service
# hardening - fully restricted
IPAddressDeny=any
LockPersonality=true
MemoryDenyWriteExecute=true
NoNewPrivileges=true
PrivateDevices=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectSystem=strict
ReadWritePaths=
RestrictRealtime=true
RestrictSUIDSGID=true
SystemCallArchitectures=native
UMask=077
[Install]
WantedBy=multi-user.target
|