system.conf: Default security settings for services

hashbang · Sep 21, 2015 · 39a713b · 39a713b
1 parent 62d8e78
commit 39a713b
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/systemd/system.conf.d/service-isolation.conf b/systemd/system.conf.d/service-isolation.conf
@@ -0,0 +1,8 @@
+[Service]
+PrivateTmp=true     # Poly-instantiates {/var,}/tmp per service
+PrivateDevices=true # Only exposes API pseudo-devices (/dev/null, zero, random)
+ProtectSystem=full  # Makes /usr, /boot and /etc read-only
+ProtectHome=true    # Prevents access to /home, /root and /run/user
+
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE
+NoNewPrivileges=true