~krathalan/systemd-sandboxing

dac2c07d102d14d68f65736826a51c9876982bca — Hunter Peavey 3 years ago 9df486e
Add postgrey service hardening
1 files changed, 70 insertions(+), 0 deletions(-)

A postgrey.service.d/hardening.conf
A postgrey.service.d/hardening.conf => postgrey.service.d/hardening.conf +70 -0
@@ 0,0 1,70 @@
[Service]
##############
# Networking #
##############

PrivateNetwork=yes
RestrictAddressFamilies=AF_UNIX
IPAccounting=yes
# IPAddressAllow= service does not require access to any IP addresses
IPAddressDeny=any

###############
# File system #
###############
#  Note that the effect of these settings may be undone by privileged processes. In order to
#  set up an effective sandboxed environment for a unit it is thus recommended to combine
#  these settings with either CapabilityBoundingSet=~CAP_SYS_ADMIN or
#  SystemCallFilter=~@mount.

ProtectHome=yes
ProtectSystem=strict
ReadWritePaths=-/etc/postfix -/var/spool/postfix/postgrey -/run/postgrey
PrivateTmp=yes

###################
# User separation #
###################

# PrivateUsers= service runs as root
# DynamicUser= service runs as root

###########
# Devices #
###########

PrivateDevices=yes
# DeviceAllow=/dev/exampledevice

##########
# Kernel #
##########

ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes

########
# Misc #
########

CapabilityBoundingSet=
# AmbientCapabilities= service runs as root
NoNewPrivileges=yes
ProtectHostname=yes
ProtectClock=yes
ProtectControlGroups=yes
RestrictNamespaces=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
# RemoveIPC= service runs as root

################
# System calls #
################

SystemCallFilter=@system-service
SystemCallFilter=~@resources @privileged
SystemCallArchitectures=native