A postgrey.service.d/hardening.conf => postgrey.service.d/hardening.conf +70 -0
@@ 0,0 1,70 @@
+[Service]
+##############
+# Networking #
+##############
+
+PrivateNetwork=yes
+RestrictAddressFamilies=AF_UNIX
+IPAccounting=yes
+# IPAddressAllow= service does not require access to any IP addresses
+IPAddressDeny=any
+
+###############
+# File system #
+###############
+# Note that the effect of these settings may be undone by privileged processes. In order to
+# set up an effective sandboxed environment for a unit it is thus recommended to combine
+# these settings with either CapabilityBoundingSet=~CAP_SYS_ADMIN or
+# SystemCallFilter=~@mount.
+
+ProtectHome=yes
+ProtectSystem=strict
+ReadWritePaths=-/etc/postfix -/var/spool/postfix/postgrey -/run/postgrey
+PrivateTmp=yes
+
+###################
+# User separation #
+###################
+
+# PrivateUsers= service runs as root
+# DynamicUser= service runs as root
+
+###########
+# Devices #
+###########
+
+PrivateDevices=yes
+# DeviceAllow=/dev/exampledevice
+
+##########
+# Kernel #
+##########
+
+ProtectKernelTunables=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+
+########
+# Misc #
+########
+
+CapabilityBoundingSet=
+# AmbientCapabilities= service runs as root
+NoNewPrivileges=yes
+ProtectHostname=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+# RemoveIPC= service runs as root
+
+################
+# System calls #
+################
+
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+SystemCallArchitectures=native