added some privilege limitations to sample systemd services

author: Christian Pointner <equinox@spreadspace.org> 2016-07-04 00:01:20 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2016-07-04 00:01:20 +0200
commit: cc8033bba74e3fcbf5bf38af82e32178501eea71 (patch)
tree: 9ef7e53268bd745e3b5ed7322847227cdb52e5c8
parent: weakend -Werror a little (diff)
2 files changed, 10 insertions, 0 deletions
diff --git a/usr/lib/systemd/system/anytun-control@.service b/usr/lib/systemd/system/anytun-control@.service
index ec857e9..b2e6a2c 100644
--- a/usr/lib/systemd/system/anytun-control@.service
+++ b/usr/lib/systemd/system/anytun-control@.service
@@ -8,6 +8,11 @@ Type=simple
 PIDFile=/run/anytun-controld/%i.pid
 Environment="NAME=%i" "DAEMONOPTS=-D -L stdout:3"
 ExecStart=/usr/bin/anytun-launcher.sh configd
+Restart=on-failure
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
 
 [Install]
 WantedBy=multi-user.target
diff --git a/usr/lib/systemd/system/anytun@.service b/usr/lib/systemd/system/anytun@.service
index 2b7fa72..b28433b 100644
--- a/usr/lib/systemd/system/anytun@.service
+++ b/usr/lib/systemd/system/anytun@.service
@@ -7,6 +7,11 @@ Type=simple
 PIDFile=/run/anytun/%i.pid
 Environment="NAME=%i" "DAEMONOPTS=-D -L stdout:3"
 ExecStart=/usr/bin/anytun-launcher.sh vpn
+Restart=on-failure
+PrivateTmp=yes
+PrivateDevices=yes
+ProtectSystem=full
+ProtectHome=yes
 
 [Install]
 WantedBy=multi-user.target
author	Christian Pointner <equinox@spreadspace.org>	2016-07-04 00:01:20 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2016-07-04 00:01:20 +0200
commit	cc8033bba74e3fcbf5bf38af82e32178501eea71 (patch)
tree	9ef7e53268bd745e3b5ed7322847227cdb52e5c8
parent	weakend -Werror a little (diff)