From 6796067e18aabf35b269fc2668412f3cacee406d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?H=C3=A9ctor=20Molinero=20Fern=C3=A1ndez?= Date: Sun, 21 Nov 2021 15:44:36 +0100 Subject: [PATCH] Hardened udptunnel service --- .../etc/systemd/system/udptunnel.service | 30 +++++++++++++++---- 1 file changed, 25 insertions(+), 5 deletions(-) diff --git a/packer/rootfs/etc/systemd/system/udptunnel.service b/packer/rootfs/etc/systemd/system/udptunnel.service index c9ee89d..049e34d 100644 --- a/packer/rootfs/etc/systemd/system/udptunnel.service +++ b/packer/rootfs/etc/systemd/system/udptunnel.service @@ -9,22 +9,42 @@ Restart=always ExecStart=/usr/local/bin/udptunnel --server --verbose 127.0.0.1:51820 StandardOutput=journal StandardError=journal +UMask=0077 DynamicUser=yes -NoNewPrivileges=yes -PrivateTmp=yes -PrivateDevices=yes ProtectSystem=strict ProtectHome=yes +PrivateTmp=yes +PrivateDevices=yes +PrivateUsers=yes +ProtectHostname=yes +ProtectClock=yes ProtectKernelTunables=yes ProtectKernelModules=yes +ProtectKernelLogs=yes ProtectControlGroups=yes +ProtectProc=invisible RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictNamespaces=yes +RestrictRealtime=yes +RestrictSUIDSGID=yes LockPersonality=yes MemoryDenyWriteExecute=yes -RestrictRealtime=yes -RemoveIPC=yes +SystemCallFilter=~@clock +SystemCallFilter=~@cpu-emulation +SystemCallFilter=~@debug +SystemCallFilter=~@module +SystemCallFilter=~@mount +SystemCallFilter=~@obsolete +SystemCallFilter=~@privileged +SystemCallFilter=~@raw-io +SystemCallFilter=~@reboot +SystemCallFilter=~@resources +SystemCallFilter=~@swap SystemCallArchitectures=native +CapabilityBoundingSet= +DevicePolicy=closed +ProcSubset=pid +NoNewPrivileges=yes [Install] WantedBy=multi-user.target