diff options
author | Federico Ceratto <federico@debian.org> | 2024-03-07 18:09:34 +0100 |
---|---|---|
committer | Federico Ceratto <federico@debian.org> | 2024-03-07 18:09:34 +0100 |
commit | 1c1db6f1e8add800366a0e3f7b7df589a4e5545b (patch) | |
tree | 425c9f7820bd176ab973cf02f3ce53155cdce77c | |
parent | fd837ae50f27789ec3f3b0d66b166c0215e82516 (diff) |
Add initial systemd sandbox
Reduces systemd exposure level from 9.2 to 3.3
It could be restricted further, e.g. disabling /var/log,
filtering system calls, etc
-rw-r--r-- | debian/nullmailer.service | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/debian/nullmailer.service b/debian/nullmailer.service index e0cc52f..67a0bff 100644 --- a/debian/nullmailer.service +++ b/debian/nullmailer.service @@ -13,5 +13,29 @@ Group=mail Restart=always SyslogFacility=mail +# Sandboxing +CapabilityBoundingSet= +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +PrivateDevices=yes +PrivateMounts=yes +PrivateTmp=yes +PrivateUsers=yes +ProtectClock=yes +ProtectControlGroups=yes +ProtectHome=yes +ProtectHostname=yes +ProtectKernelLogs=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +ProtectProc=invisible +ProtectSystem=strict +ReadWriteDirectories=-/var/log +ReadWriteDirectories=-/var/run +ReadWriteDirectories=-/var/spool/nullmailer +RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes + [Install] WantedBy=multi-user.target |