gnouseu/plakken
5
2
Fork 0
Code Issues Pull requests 4 Packages 1 Activity

WIP

Browse source
This commit is contained in:
Ada 2024-03-10 01:53:16 +01:00
parent a0e90c4304
commit e5e9d1df1d
Signed by: ada
GPG key ID: 6A7F898157C6DE6E
1 changed files with 23 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
plakken.service
View file

@ -1,3 +1,4 @@
# /usr/lib/systemd/system/plakken.service
[Unit] [Unit]
Description=A paste server Description=A paste server
After=network.target After=network.target
@ -8,6 +9,7 @@ User=plakken
ExecStart=/usr/bin/plakken ExecStart=/usr/bin/plakken
EnvironmentFile=/etc/plakken/env EnvironmentFile=/etc/plakken/env
NoNewPrivileges=yes NoNewPrivileges=yes
@ -16,6 +18,7 @@ ProtectHome=true
RestrictNamespaces=true RestrictNamespaces=true
PrivateTmp=true PrivateTmp=true
PrivateDevices=true PrivateDevices=true
PrivateUsers=true
ProtectClock=true ProtectClock=true
ProtectControlGroups=true ProtectControlGroups=true
ProtectKernelTunables=true ProtectKernelTunables=true
@ -25,9 +28,27 @@ LockPersonality=true
RestrictSUIDSGID=true RestrictSUIDSGID=true
RemoveIPC=true RemoveIPC=true
RestrictRealtime=true RestrictRealtime=true
SystemCallFilter=@system-service
SystemCallArchitectures=native SystemCallArchitectures=native
MemoryDenyWriteExecute=true MemoryDenyWriteExecute=true
UMask=177
ProtectProc=invisible
CapabilityBoundingSet=
ProtectHostname=true
RestrictAddressFamilies=~AF_(INET|INET6)
RestrictAddressFamilies=~…
RestrictAddressFamilies=~AF_UNIX
RestrictAddressFamilies=~AF_NETLINK
RestrictAddressFamilies=~AF_PACKET
SystemCallFilter=~@reboot
SystemCallFilter=~@obsolete
SystemCallFilter=~@mount
SystemCallFilter=~@module
SystemCallFilter=~@debug
SystemCallFilter=~@cpu-emulation
SystemCallFilter=~@clock
SystemCallFilter=~@swap
SystemCallFilter=~@privileged
ProcSubset=pid
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target