Verified Commit 59fd4efb authored by Frederik “Freso” S. Olesen's avatar Frederik “Freso” S. Olesen Committed by Daniel M. Capella
Browse files

paccache.service.in: Harden unit



Adds a number of sandboxing and other hardening options to the
paccache.service file.
Signed-off-by: Frederik “Freso” S. Olesen's avatarFrederik “Freso” S. Olesen <freso.dk@gmail.com>
Signed-off-by: Daniel M. Capella's avatarDaniel M. Capella <polyzen@archlinux.org>
parent 80275d21
......@@ -4,3 +4,30 @@ Description=Remove unused cached package files
[Service]
Type=oneshot
ExecStart=@bindir@/paccache -r
# Sandboxing and other hardening
ProtectProc=invisible
ProcSubset=pid
NoNewPrivileges=yes
ProtectSystem=full
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateNetwork=yes
PrivateIPC=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
RestrictAddressFamilies=AF_UNIX
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
RemoveIPC=yes
PrivateMounts=yes
SystemCallFilter=@file-system
SystemCallArchitectures=native
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment