Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Arch Linux
infrastructure
Commits
0d5eb65a
Commit
0d5eb65a
authored
Feb 26, 2021
by
Jelle van der Waa
🚧
Browse files
Merge branch 'aur_systemd_hardening' into 'master'
AUR systemd hardening See merge request
!287
parents
9b336e5c
501f2adc
Pipeline
#5399
passed with stage
in 33 seconds
Changes
5
Pipelines
1
Hide whitespace changes
Inline
Side-by-side
roles/aurweb/templates/aurweb-aurblup.service.j2
View file @
0d5eb65a
...
...
@@ -7,3 +7,28 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-aurblup
ReadWritePaths={{ aurweb_dir }}
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
roles/aurweb/templates/aurweb-mkpkglists.service.j2
View file @
0d5eb65a
...
...
@@ -7,3 +7,30 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-mkpkglists
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
ReadWritePaths={{ aurweb_dir }}
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
roles/aurweb/templates/aurweb-pkgmaint.service.j2
View file @
0d5eb65a
...
...
@@ -7,3 +7,30 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-pkgmaint
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
roles/aurweb/templates/aurweb-popupdate.service.j2
View file @
0d5eb65a
...
...
@@ -7,3 +7,30 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-popupdate
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
ProtectHome=true
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
RestrictAddressFamilies=AF_UNIX
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
roles/aurweb/templates/aurweb-tuvotereminder.service.j2
View file @
0d5eb65a
...
...
@@ -7,3 +7,27 @@ After=mysqld.service
Type=oneshot
User={{ aurweb_user }}
ExecStart=/usr/local/bin/aurweb-tuvotereminder
NoNewPrivileges=true
LockPersonality=true
CapabilityBoundingSet=
PrivateDevices=true
PrivateTmp=true
ProtectSystem=strict
MemoryDenyWriteExecute=true
RemoveIPC=true
RestrictRealtime=true
RestrictNamespaces=true
RestrictSUIDSGID=true
ProtectHostname=true
ProtectControlGroups=true
ProtectKernelLogs=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectClock=true
ProtectProc=noaccess
SystemCallArchitectures=native
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment