kjuulh/wireguard-setup
1
0
Fork 0
Code Issues 1 Pull Requests Projects Releases Wiki Activity

Hardened udptunnel service

Browse Source
This commit is contained in:
Héctor Molinero Fernández 2021-11-21 15:44:36 +01:00
parent 50f6458561
commit 6796067e18
1 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
packer/rootfs/etc/systemd/system/udptunnel.service
View File

@ -9,22 +9,42 @@ Restart=always
ExecStart=/usr/local/bin/udptunnel --server --verbose 127.0.0.1:51820 ExecStart=/usr/local/bin/udptunnel --server --verbose 127.0.0.1:51820
StandardOutput=journal StandardOutput=journal
StandardError=journal StandardError=journal
UMask=0077
DynamicUser=yes DynamicUser=yes
NoNewPrivileges=yes
PrivateTmp=yes
PrivateDevices=yes
ProtectSystem=strict ProtectSystem=strict
ProtectHome=yes ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectProc=invisible
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
RestrictRealtime=yes SystemCallFilter=~@clock
RemoveIPC=yes SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@resources
SystemCallFilter=~@swap
SystemCallArchitectures=native SystemCallArchitectures=native
CapabilityBoundingSet=
DevicePolicy=closed
ProcSubset=pid
NoNewPrivileges=yes
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target