Harden systemd unit file

2019-03-06 19:21:33 +00:00 · 2019-03-06 19:21:33 +00:00 · 2d5839e044
commit 2d5839e044
parent 79081f79d2
1 changed files with 11 additions and 0 deletions
--- a/contrib/dn42regsrv.service
+++ b/contrib/dn42regsrv.service
@ -14,6 +14,17 @@ User=regsrv
 Group=registry
 Type=simple
 Restart=on-failure
+# service hardening
+ProtectSystem=strict
+ReadOnlyPaths=/home/regsrv/go/src/git.dn42.us/burble/dn42regsrv/StaticRoot
+ReadWritePaths=/home/regsrv/registry
+NoNewPrivileges=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
+PrivateDevices=yes
+DevicePolicy=closed
+MemoryDenyWriteExecute=yes
+#
 ExecStart=/home/regsrv/go/bin/dn42regsrv \
     -s /home/regsrv/go/src/git.dn42.us/burble/dn42regsrv/StaticRoot \
     -d /home/regsrv/registry