systemd: more paranoid security settings
This commit is contained in:
Max Kellermann
parent
54d5d9d1cc
commit
e3237f057d
1
NEWS
1
NEWS
|
|
@ -6,6 +6,7 @@ ver 0.19.20 (not yet released)
|
||||||
* output
|
* output
|
||||||
- winmm: fix 8 bit playback
|
- winmm: fix 8 bit playback
|
||||||
* fix gcc 7.0 -Wimplicit-fallthrough
|
* fix gcc 7.0 -Wimplicit-fallthrough
|
||||||
|
* systemd: paranoid security settings
|
||||||
|
|
||||||
ver 0.19.19 (2016/08/23)
|
ver 0.19.19 (2016/08/23)
|
||||||
* decoder
|
* decoder
|
||||||
|
|
|
||||||
|
|
@ -12,6 +12,15 @@ LimitRTTIME=infinity
|
||||||
# disallow writing to /usr, /bin, /sbin, ...
|
# disallow writing to /usr, /bin, /sbin, ...
|
||||||
ProtectSystem=yes
|
ProtectSystem=yes
|
||||||
|
|
||||||
|
# more paranoid security settings
|
||||||
|
NoNewPrivileges=yes
|
||||||
|
ProtectKernelTunables=yes
|
||||||
|
ProtectControlGroups=yes
|
||||||
|
ProtectKernelModules=yes
|
||||||
|
# AF_NETLINK is required by libsmbclient, or it will exit() .. *sigh*
|
||||||
|
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX AF_NETLINK
|
||||||
|
RestrictNamespaces=yes
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
Also=mpd.socket
|
Also=mpd.socket
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue