sispmctl.service: enhance security
Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
This commit is contained in:
Heinrich Schuchardt
parent
b835c9894c
commit
901cfec7a2
|
|
@ -1,5 +1,6 @@
|
|||
10 Apr 2020 - 4.7
|
||||
Support scheduling on EG-PMS2
|
||||
Step up security in systemd service definition
|
||||
|
||||
01 Apr 2020 - 4.6
|
||||
Add option to specify powerstrip by USB Bus:Device
|
||||
|
|
|
|||
|
|
@ -22,10 +22,29 @@ After=systemd-udev-settle.service
|
|||
WantedBy=multi-user.target
|
||||
|
||||
[Service]
|
||||
CapabilityBoundingSet=
|
||||
LockPersonality=true
|
||||
MemoryDenyWriteExecute=true
|
||||
NoNewPrivileges=true
|
||||
PrivateTmp=true
|
||||
PrivateUsers=true
|
||||
ProtectClock=true
|
||||
ProtectControlGroups=true
|
||||
ProtectHome=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
ProtectSystem=strict
|
||||
RemoveIPC=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
SystemCallFilter=@system-service
|
||||
SystemCallArchitectures=native
|
||||
UMask=177
|
||||
|
||||
User=sispmctl
|
||||
Group=sispmctl
|
||||
Type=forking
|
||||
WorkingDirectory=/
|
||||
ExecStart=/usr/local/bin/sispmctl -p 2638 -l
|
||||
SyslogIdentifier=sispmctl
|
||||
Restart=always
|
||||
|
|
|
|||
Loading…
Reference in New Issue