mirror of
https://github.com/HorlogeSkynet/systemd-hardene.d.git
synced 2026-05-12 20:00:37 +02:00
HorlogeSkynet
072dca3208
This patch actually breaks Misaka (HTML renderer before Isso v0.14). Migrating to Mistune is recommended (see <https://isso-comments.de/docs/guides/mistune/>).
36 lines
693 B
Plaintext
36 lines
693 B
Plaintext
[Service]
|
|
CapabilityBoundingSet=
|
|
|
|
MemoryDenyWriteExecute=yes
|
|
|
|
NoNewPrivileges=yes
|
|
|
|
PrivateBPF=yes
|
|
PrivateDevices=yes
|
|
PrivateIPC=yes
|
|
PrivateMounts=yes
|
|
PrivateTmp=yes
|
|
|
|
ProtectClock=yes
|
|
ProtectControlGroups=yes
|
|
ProtectHome=yes
|
|
ProtectHostname=yes
|
|
ProtectKernelLogs=yes
|
|
ProtectKernelModules=yes
|
|
ProtectKernelTunables=yes
|
|
ProtectProc=noaccess
|
|
ProcSubset=pid
|
|
ProtectSystem=strict
|
|
ReadWritePaths=-/opt/isso
|
|
ReadOnlyPaths=-/opt/isso/.venv -/opt/isso/venv
|
|
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
|
RestrictNamespaces=yes
|
|
RestrictRealtime=yes
|
|
RestrictSUIDSGID=yes
|
|
|
|
LockPersonality=yes
|
|
SystemCallArchitectures=native
|
|
SystemCallFilter=@system-service
|
|
SystemCallFilter=~@privileged @resources memfd_create
|