Overview

File 0001-Harden-systemd-system-access.patch of Package ocli

From a67346ad6bd535c6aff9e864dcae41a15fbb8c90 Mon Sep 17 00:00:00 2001
From: Tuukka Pasanen <tuukka.pasanen@ilmi.fi>
Date: Thu, 14 Oct 2021 13:44:35 +0300
Subject: [PATCH] Harden systemd system access

Systemd provides many hardening options for protecting underlaying
system as OCLI mainly operates in network.
---
 .../systemd/owntracks-cli-publisher.service   | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/packaging/systemd/owntracks-cli-publisher.service b/packaging/systemd/owntracks-cli-publisher.service
index 042443f..7ba7080 100644
--- a/packaging/systemd/owntracks-cli-publisher.service
+++ b/packaging/systemd/owntracks-cli-publisher.service
@@ -11,6 +11,25 @@ Restart=always
 RestartSec=60
 User=owntracks
 Group=owntracks
+# Harden system access
+#
+# if you need to turn off some protection
+# then create file
+# /etc/systemd/system/owntracks-cli-publisher.service.d/harden.conf
+#
+# For example turn off ProtectHome:
+# [Service]
+# ProtectHome=false
+#
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 
 [Install]
 WantedBy=multi-user.target
-- 
2.33.0
openSUSE Build Service is sponsored by
Places