[systemd-devel] PrivateNetwork and libusb
Lennart Poettering
lennart at poettering.net
Wed Dec 14 11:36:01 UTC 2016
On Wed, 14.12.16 10:55, Richard Hughes (hughsient at gmail.com) wrote:
> On 14 December 2016 at 09:32, Reindl Harald <h.reindl at thelounge.net> wrote:
> > RestrictAddressFamilies=AF_NETLINK
>
> Great, that was the pointer I needed, thanks. I'm currently setting
> this in the service file:
>
> NoNewPrivileges=yes
> PrivateTmp=yes
> PrivateUsers=yes
> ProtectControlGroups=yes
> ProtectHome=yes
> ProtectKernelModules=yes
> RestrictAddressFamilies=AF_NETLINK AF_UNIX
>
> Are there other important settings I've missed? fwupd does access the
> hardware and write the odd file to the filesystem so there didn't seem
> any other super useful flags. Thanks.
Well, depends on the systemd version you are running.
I'd also set if you can:
RestrictRealtime=yes
MemoryDenyWriteExecute=yes
RestrictNamespaces=yes
SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @resources
ProtectKernelTunables=yes
ProtectSystem=full
PrivateDevices=yes
CapabilityBoundingSet=...
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list