From 39a713bf5bcec549d648d74c1e558bdd1257ed5e Mon Sep 17 00:00:00 2001
From: Fox in the shell <KellerFuchs@hashbang.sh>
Date: Mon, 21 Sep 2015 18:12:49 +0200
Subject: [PATCH] system.conf: Default security settings for services

---
 systemd/system.conf.d/service-isolation.conf | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 systemd/system.conf.d/service-isolation.conf

diff --git a/systemd/system.conf.d/service-isolation.conf b/systemd/system.conf.d/service-isolation.conf
new file mode 100644
index 0000000..6edbad8
--- /dev/null
+++ b/systemd/system.conf.d/service-isolation.conf
@@ -0,0 +1,8 @@
+[Service]
+PrivateTmp=true     # Poly-instantiates {/var,}/tmp per service
+PrivateDevices=true # Only exposes API pseudo-devices (/dev/null, zero, random)
+ProtectSystem=full  # Makes /usr, /boot and /etc read-only
+ProtectHome=true    # Prevents access to /home, /root and /run/user
+
+CapabilityBoundingSet=~CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE
+NoNewPrivileges=true