paccache.service.in: Harden unit

Adds a number of sandboxing and other hardening options to the paccache.service file. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> Signed-off-by: Daniel M. Capella <polyzen@archlinux.org>

paccache.service.in: Harden unit
Adds a number of sandboxing and other hardening options to the paccache.service file. Signed-off-by: Frederik “Freso” S. Olesen <freso.dk@gmail.com> Signed-off-by: Daniel M. Capella <polyzen@archlinux.org>
59fd4efb · Frederik “Freso” S. Olesen · Daniel M. Capella · 80275d21 · 59fd4efb
Verified Commit 59fd4efb authored Jul 09, 2021 by Frederik “Freso” S. Olesen Committed by Daniel M. Capella Jul 27, 2021
--- a/src/paccache.service.in
+++ b/src/paccache.service.in
@@ -4,3 +4,30 @@ Description=Remove unused cached package files
 [Service]
 Type=oneshot
 ExecStart=@bindir@/paccache -r
+# Sandboxing and other hardening
+ProtectProc=invisible
+ProcSubset=pid
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateIPC=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+PrivateMounts=yes
+SystemCallFilter=@file-system
+SystemCallArchitectures=native