diff --git a/conf/bookwyrm-beat.service b/conf/bookwyrm-beat.service index 0094854..3d126df 100644 --- a/conf/bookwyrm-beat.service +++ b/conf/bookwyrm-beat.service @@ -16,10 +16,10 @@ ProtectHome=tmpfs InaccessiblePaths=-/media -/mnt -/srv PrivateTmp=yes TemporaryFileSystem=/var /run -PrivateUsers=true +#PrivateUsers=true PrivateDevices=true BindReadOnlyPaths=__INSTALL_DIR__ -BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql +#BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql LockPersonality=yes MemoryDenyWriteExecute=true PrivateMounts=true diff --git a/conf/bookwyrm-server.service b/conf/bookwyrm-server.service index 1c5ca73..60a0061 100644 --- a/conf/bookwyrm-server.service +++ b/conf/bookwyrm-server.service @@ -32,6 +32,10 @@ ProtectControlGroups=true RestrictRealtime=true RestrictNamespaces=net +NoNewPrivileges=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +DevicePolicy=closed +ProtectProc=invisible SystemCallArchitectures=native SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged diff --git a/conf/bookwyrm-worker.service b/conf/bookwyrm-worker.service index f3e9a12..e205b80 100644 --- a/conf/bookwyrm-worker.service +++ b/conf/bookwyrm-worker.service @@ -19,7 +19,7 @@ TemporaryFileSystem=/var /run #PrivateUsers=true PrivateDevices=true BindReadOnlyPaths=__INSTALL_DIR__ -BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql +#BindPaths=__INSTALL_DIR__/images __INSTALL_DIR__/static /var/run/postgresql LockPersonality=yes MemoryDenyWriteExecute=true PrivateMounts=true @@ -32,6 +32,12 @@ ProtectControlGroups=true RestrictRealtime=true RestrictNamespaces=net +NoNewPrivileges=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK +DevicePolicy=closed +ProtectProc=invisible +SystemCallArchitectures=native +SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged # Denying access to capabilities that should not be relevant for webapps # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html