diff options
author | Andreas Henriksson | 2018-11-23 12:10:59 +0100 |
---|---|---|
committer | Karel Zak | 2018-11-29 10:37:08 +0100 |
commit | df8d991b241d3eec80a621372f0c80a59abbfdae (patch) | |
tree | ad2ae252a9931c719b804fd9abd6672216152230 /misc-utils/uuidd.service.in | |
parent | tests: add test images for drbd v08/v09 (diff) | |
download | kernel-qcow2-util-linux-df8d991b241d3eec80a621372f0c80a59abbfdae.tar.gz kernel-qcow2-util-linux-df8d991b241d3eec80a621372f0c80a59abbfdae.tar.xz kernel-qcow2-util-linux-df8d991b241d3eec80a621372f0c80a59abbfdae.zip |
uuidd: Add hardening settings to uuidd.service
This limits what the uuid daemon has access to when it runs.
Further improving this with additional option or making
things even tighter is most likely possible.
Signed-off-by: Andreas Henriksson <andreas@fatal.se>
Diffstat (limited to 'misc-utils/uuidd.service.in')
-rw-r--r-- | misc-utils/uuidd.service.in | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/misc-utils/uuidd.service.in b/misc-utils/uuidd.service.in index a43b3c3e0..b4c9c4635 100644 --- a/misc-utils/uuidd.service.in +++ b/misc-utils/uuidd.service.in @@ -8,6 +8,17 @@ ExecStart=@usrsbin_execdir@/uuidd --socket-activation Restart=no User=uuidd Group=uuidd +ProtectSystem=strict +ProtectHome=yes +PrivateDevices=yes +PrivateNetwork=yes +PrivateUsers=yes +ProtectKernelTunables=yes +ProtectKernelModules=yes +ProtectControlGroups=yes +RestrictAddressFamilies=AF_UNIX +MemoryDenyWriteExecute=yes +SystemCallFilter=@default @file-system @basic-io @system-service @signal @io-event @network-io [Install] Also=uuidd.socket |