systemd: more paranoid security settings

2016-12-09 10:36:02 +01:00
parent 54d5d9d1cc
commit e3237f057d
2 changed files with 10 additions and 0 deletions
--- a/systemd/mpd.service.in
+++ b/systemd/mpd.service.in
@@ -12,6 +12,15 @@ LimitRTTIME=infinity
 # disallow writing to /usr, /bin, /sbin, ...
 ProtectSystem=yes

+# more paranoid security settings
+NoNewPrivileges=yes
+ProtectKernelTunables=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
+RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
+RestrictNamespaces=yes
+
 [Install]
 WantedBy=multi-user.target
 Also=mpd.socket