YunoHost-Apps/gotosocial_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/gotosocial_ynh.git synced 2024-09-03 19:16:06 +02:00
Code Issues Activity Actions

Improve systemd hardening

Browse source
This commit is contained in:
OniriCorpe 2022-08-15 19:38:57 +02:00
parent 4dea8cdef5
commit b78995c6ed
2 changed files with 7 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
conf/systemd.service
View file

@ -20,16 +20,20 @@ StandardError=inherit
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictNamespaces=yes
RestrictRealtime=yes
DevicePolicy=closed
ProtectClock=yes
ProtectHostname=yes
ProtectProc=invisible
ProtectSystem=full
ProtectControlGroups=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap
SystemCallArchitectures=native
SystemCallFilter=~@clock @debug @module @mount @obsolete @reboot @setuid @swap @cpu-emulation @privileged
# Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html

2
manifest.json
View file

@ -6,7 +6,7 @@
"en": "An ActivityPub social network server, written in Golang.",
"fr": "Un serveur de réseau social basé sur ActivityPub écrit en Golang."
},
"version": "0.3.8~ynh2",
"version": "0.3.8~ynh3",
"url": "https://github.com/superseriousbusiness/gotosocial",
"upstream": {
"license": "AGPL-3.0-only",