Commit 0d5eb65a authored by Jelle van der Waa's avatar Jelle van der Waa 🚧
Browse files

Merge branch 'aur_systemd_hardening' into 'master'

AUR systemd hardening

See merge request !287
parents 9b336e5c 501f2adc
Pipeline #5399 passed with stage
in 33 seconds
......@@ -7,3 +7,28 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-aurblup
ReadWritePaths={{ aurweb_dir }}
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
......@@ -7,3 +7,30 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-mkpkglists
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
ReadWritePaths={{ aurweb_dir }}
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
......@@ -7,3 +7,30 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-pkgmaint
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
......@@ -7,3 +7,30 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-popupdate
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
......@@ -7,3 +7,27 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-tuvotereminder
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment