35 lines
830 B
Diff
35 lines
830 B
Diff
--- a/contrib/i2pd.service
|
|
+++ b/contrib/i2pd.service
|
|
@@ -33,5 +33,31 @@ LimitNOFILE=4096
|
|
# To enable write of coredump uncomment this
|
|
#LimitCORE=infinity
|
|
|
|
+# Hardening options
|
|
+PrivateTmp=true
|
|
+ProtectSystem=strict
|
|
+ProtectHome=true
|
|
+PrivateDevices=true
|
|
+ProtectKernelTunables=true
|
|
+ProtectControlGroups=true
|
|
+NoNewPrivileges=true
|
|
+MemoryDenyWriteExecute=true
|
|
+LockPersonality=true
|
|
+SystemCallFilter=@system-service
|
|
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
|
|
+ProtectHostname=true
|
|
+ProtectClock=true
|
|
+ProtectKernelLogs=true
|
|
+ProtectKernelModules=true
|
|
+ProtectProc=invisible
|
|
+ProcSubset=pid
|
|
+PrivateMounts=true
|
|
+PrivateUsers=true
|
|
+ReadWritePaths=/var/lib/i2pd /var/log/i2pd
|
|
+RemoveIPC=true
|
|
+RestrictRealtime=true
|
|
+RestrictSUIDSGID=true
|
|
+SystemCallArchitectures=native
|
|
+
|
|
[Install]
|
|
WantedBy=multi-user.target
|