archweb: harden mirrorcheck service

Disallow changing of kernel options, reading home/tmp and disallow the service from seeing our /dev.

archweb: harden mirrorcheck service
Disallow changing of kernel options, reading home/tmp and disallow the service from seeing our /dev.
c8c361f6 · Jelle van der Waa · 4489a97c · c8c361f6
Commit c8c361f6 authored Nov 21, 2018 by Jelle van der Waa 🚧
--- a/roles/archweb/templates/archweb-mirrorcheck.service.j2
+++ b/roles/archweb/templates/archweb-mirrorcheck.service.j2
@@ -11,6 +11,14 @@ ExecStart={{ archweb_dir }}/env/bin/python manage.py mirrorcheck --location {{ l
 {% endfor %}
 Nice=5
 RuntimeMaxSec=3600
+NoNewPrivileges=yes
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectControlGroups=true

 [Install]
 WantedBy=multi-user.target