1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/pytition_ynh.git synced 2024-09-03 20:16:08 +02:00

Add RestrictAddressFamilies and SystemCallFilter

This commit is contained in:
Alexandre Aubin 2020-11-11 19:54:27 +01:00 committed by GitHub
parent 1ac3a1c1f7
commit f1ec6a6c85
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -16,6 +16,7 @@ ExecStart=__FINALPATH__/script >> /var/log/__APP__/__APP__.log 2>&1
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes PrivateTmp=yes
PrivateDevices=yes PrivateDevices=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes RestrictNamespaces=yes
RestrictRealtime=yes RestrictRealtime=yes
DevicePolicy=closed DevicePolicy=closed
@ -24,7 +25,7 @@ ProtectControlGroups=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
LockPersonality=yes LockPersonality=yes
SystemCallFilter=~@clock @debug @module @mount @obsolete @privileged @reboot @setuid @swap
# Denying access to capabilities that should not be relevant for webapps # Denying access to capabilities that should not be relevant for webapps
# Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html # Doc: https://man7.org/linux/man-pages/man7/capabilities.7.html