[PATCH v2 1/2] paccache.service.in: Harden unit
Frederik “Freso” S. Olesen
freso.dk at gmail.com
Fri Jul 9 11:01:06 UTC 2021
Adds a number of sandboxing and other hardening options to the
paccache.service file.
Signed-off-by: Frederik “Freso” S. Olesen <freso.dk at gmail.com>
---
src/paccache.service.in | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/src/paccache.service.in b/src/paccache.service.in
index cd28e67..927574f 100644
--- a/src/paccache.service.in
+++ b/src/paccache.service.in
@@ -4,3 +4,30 @@ Description=Remove unused cached package files
[Service]
Type=oneshot
ExecStart=@bindir@/paccache -r
+# Sandboxing and other hardening
+ProtectProc=invisible
+ProcSubset=pid
+NoNewPrivileges=yes
+ProtectSystem=full
+ProtectHome=yes
+PrivateTmp=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateIPC=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectControlGroups=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+RemoveIPC=yes
+PrivateMounts=yes
+SystemCallFilter=@file-system
+SystemCallArchitectures=native
--
2.32.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/pacman-contrib/attachments/20210709/8a4e0d6e/attachment-0001.sig>
More information about the pacman-contrib
mailing list