wireguard-setup/packer/rootfs/etc/systemd/system/udptunnel.service
Héctor Molinero Fernández 6796067e18 Hardened udptunnel service
2021-11-21 15:44:36 +01:00

51 lines
1.1 KiB
Desktop File

[Unit]
Description=udptunnel service
Requires=udptunnel.socket
ConditionPathExists=!/etc/udptunnel/udptunnel_not_to_be_run
[Service]
Type=notify
Restart=always
ExecStart=/usr/local/bin/udptunnel --server --verbose 127.0.0.1:51820
StandardOutput=journal
StandardError=journal
UMask=0077
DynamicUser=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
PrivateDevices=yes
PrivateUsers=yes
ProtectHostname=yes
ProtectClock=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectProc=invisible
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
SystemCallFilter=~@clock
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@debug
SystemCallFilter=~@module
SystemCallFilter=~@mount
SystemCallFilter=~@obsolete
SystemCallFilter=~@privileged
SystemCallFilter=~@raw-io
SystemCallFilter=~@reboot
SystemCallFilter=~@resources
SystemCallFilter=~@swap
SystemCallArchitectures=native
CapabilityBoundingSet=
DevicePolicy=closed
ProcSubset=pid
NoNewPrivileges=yes
[Install]
WantedBy=multi-user.target