Add initial systemd sandbox

Reduces systemd exposure level from 9.2 to 3.3 It could be restricted further, e.g. disabling /var/log, filtering system calls, etc
author: Federico Ceratto <federico@debian.org> 2024-03-07 18:09:34 +0100
committer: Federico Ceratto <federico@debian.org> 2024-03-07 18:09:34 +0100
commit: 1c1db6f1e8add800366a0e3f7b7df589a4e5545b (patch)
tree: 425c9f7820bd176ab973cf02f3ce53155cdce77c
parent: fd837ae50f27789ec3f3b0d66b166c0215e82516 (diff)
1 files changed, 24 insertions, 0 deletions
diff --git a/debian/nullmailer.service b/debian/nullmailer.service
index e0cc52f..67a0bff 100644
--- a/debian/nullmailer.service
+++ b/debian/nullmailer.service
@@ -13,5 +13,29 @@ Group=mail
 Restart=always
 SyslogFacility=mail
 
+# Sandboxing
+CapabilityBoundingSet=
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateMounts=yes
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=strict
+ReadWriteDirectories=-/var/log
+ReadWriteDirectories=-/var/run
+ReadWriteDirectories=-/var/spool/nullmailer
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+
 [Install]
 WantedBy=multi-user.target
author	Federico Ceratto <federico@debian.org>	2024-03-07 18:09:34 +0100
committer	Federico Ceratto <federico@debian.org>	2024-03-07 18:09:34 +0100
commit	1c1db6f1e8add800366a0e3f7b7df589a4e5545b (patch)
tree	425c9f7820bd176ab973cf02f3ce53155cdce77c
parent	fd837ae50f27789ec3f3b0d66b166c0215e82516 (diff)