Overview

File apache-trafficserver-harden.service.patch of Package apache-trafficserver

Index: trafficserver-9.1.0/rc/trafficserver.service.in
===================================================================
--- trafficserver-9.1.0.orig/rc/trafficserver.service.in
+++ trafficserver-9.1.0/rc/trafficserver.service.in
@@ -34,5 +34,19 @@ TimeoutStopSec=5s
 ExecReload=@exp_bindir@/traffic_ctl config reload
 KillMode=process
 
+# Lock-down for the simplest use-case
+ProtectSystem=full
+ProtectHome=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectControlGroups=yes
+PrivateTmp=yes
+PrivateDevices=yes
+RestrictRealtime=yes
+RestrictNamespaces=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+MemoryDenyWriteExecute=yes
+CapabilityBoundingSet=~CAP_SYS_ADMIN
+
 [Install]
 WantedBy=multi-user.target
openSUSE Build Service is sponsored by
Places