Merge branch 'aur_systemd_hardening' into 'master'

AUR systemd hardening See merge request !287

Merge branch 'aur_systemd_hardening' into 'master'
AUR systemd hardening See merge request !287
0d5eb65a · Jelle van der Waa · 9b336e5c · 501f2adc · 0d5eb65a · 0d5eb65a
Commit 0d5eb65a authored Feb 26, 2021 by Jelle van der Waa 🚧
--- a/roles/aurweb/templates/aurweb-aurblup.service.j2
+++ b/roles/aurweb/templates/aurweb-aurblup.service.j2
@@ -7,3 +7,28 @@ After=mysqld.service
 Type=oneshot
 User={{ aurweb_user }}
 ExecStart=/usr/local/bin/aurweb-aurblup
+
+ReadWritePaths={{ aurweb_dir }}
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=noaccess
+
+SystemCallArchitectures=native
--- a/roles/aurweb/templates/aurweb-mkpkglists.service.j2
+++ b/roles/aurweb/templates/aurweb-mkpkglists.service.j2
@@ -7,3 +7,30 @@ After=mysqld.service
 Type=oneshot
 User={{ aurweb_user }}
 ExecStart=/usr/local/bin/aurweb-mkpkglists
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+ReadWritePaths={{ aurweb_dir }}
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=AF_UNIX
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=noaccess
+
+SystemCallArchitectures=native
--- a/roles/aurweb/templates/aurweb-pkgmaint.service.j2
+++ b/roles/aurweb/templates/aurweb-pkgmaint.service.j2
@@ -7,3 +7,30 @@ After=mysqld.service
 Type=oneshot
 User={{ aurweb_user }}
 ExecStart=/usr/local/bin/aurweb-pkgmaint
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=AF_UNIX
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=noaccess
+
+SystemCallArchitectures=native
--- a/roles/aurweb/templates/aurweb-popupdate.service.j2
+++ b/roles/aurweb/templates/aurweb-popupdate.service.j2
@@ -7,3 +7,30 @@ After=mysqld.service
 Type=oneshot
 User={{ aurweb_user }}
 ExecStart=/usr/local/bin/aurweb-popupdate
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+ProtectHome=true
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+RestrictAddressFamilies=AF_UNIX
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=noaccess
+
+SystemCallArchitectures=native
--- a/roles/aurweb/templates/aurweb-tuvotereminder.service.j2
+++ b/roles/aurweb/templates/aurweb-tuvotereminder.service.j2
@@ -7,3 +7,27 @@ After=mysqld.service
 Type=oneshot
 User={{ aurweb_user }}
 ExecStart=/usr/local/bin/aurweb-tuvotereminder
+
+NoNewPrivileges=true
+LockPersonality=true
+CapabilityBoundingSet=
+
+PrivateDevices=true
+PrivateTmp=true
+ProtectSystem=strict
+
+MemoryDenyWriteExecute=true
+RemoveIPC=true
+RestrictRealtime=true
+RestrictNamespaces=true
+RestrictSUIDSGID=true
+
+ProtectHostname=true
+ProtectControlGroups=true
+ProtectKernelLogs=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectClock=true
+ProtectProc=noaccess
+
+SystemCallArchitectures=native