From cc8033bba74e3fcbf5bf38af82e32178501eea71 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 4 Jul 2016 00:01:20 +0200 Subject: added some privilege limitations to sample systemd services --- usr/lib/systemd/system/anytun-control@.service | 5 +++++ usr/lib/systemd/system/anytun@.service | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/usr/lib/systemd/system/anytun-control@.service b/usr/lib/systemd/system/anytun-control@.service index ec857e9..b2e6a2c 100644 --- a/usr/lib/systemd/system/anytun-control@.service +++ b/usr/lib/systemd/system/anytun-control@.service @@ -8,6 +8,11 @@ Type=simple PIDFile=/run/anytun-controld/%i.pid Environment="NAME=%i" "DAEMONOPTS=-D -L stdout:3" ExecStart=/usr/bin/anytun-launcher.sh configd +Restart=on-failure +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=full +ProtectHome=yes [Install] WantedBy=multi-user.target diff --git a/usr/lib/systemd/system/anytun@.service b/usr/lib/systemd/system/anytun@.service index 2b7fa72..b28433b 100644 --- a/usr/lib/systemd/system/anytun@.service +++ b/usr/lib/systemd/system/anytun@.service @@ -7,6 +7,11 @@ Type=simple PIDFile=/run/anytun/%i.pid Environment="NAME=%i" "DAEMONOPTS=-D -L stdout:3" ExecStart=/usr/bin/anytun-launcher.sh vpn +Restart=on-failure +PrivateTmp=yes +PrivateDevices=yes +ProtectSystem=full +ProtectHome=yes [Install] WantedBy=multi-user.target -- cgit v1.2.3