Harden systemd service

author: Jan Rybar <jrybar@redhat.com> 2023-05-24 13:06:49 +0000
committer: Jan Rybar <jrybar@redhat.com> 2023-05-24 13:06:49 +0000
commit: 25eef55dddbf0b4d635fbdd508710b496be80d9c (patch)
tree: 4daf2ec2712caac8f70fa86911e287d82b7d2ca6
parent: 5615ed043fa8d9756ea79c60f09110f29efaa081 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/data/polkit.service.in b/data/polkit.service.in
index 88138e8..2113ff7 100644
--- a/data/polkit.service.in
+++ b/data/polkit.service.in
@@ -5,6 +5,33 @@ Documentation=man:polkit(8)
 [Service]
 Type=dbus
 BusName=org.freedesktop.PolicyKit1
+CapabilityBoundingSet=
+DeviceAllow=/dev/null rw
+DevicePolicy=strict
 ExecStart=@libprivdir@/polkitd --no-debug
 User=@polkitd_user@
 Group=@polkitd_user@
+IPAddressDeny=any
+LimitMEMLOCK=0
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+PrivateNetwork=yes
+PrivateTmp=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ProtectClock=yes
+ProtectHostname=yes
+RemoveIPC=yes
+RestrictAddressFamilies=AF_UNIX
+RestrictNamespaces=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+UMask=0077
author	Jan Rybar <jrybar@redhat.com>	2023-05-24 13:06:49 +0000
committer	Jan Rybar <jrybar@redhat.com>	2023-05-24 13:06:49 +0000
commit	25eef55dddbf0b4d635fbdd508710b496be80d9c (patch)
tree	4daf2ec2712caac8f70fa86911e287d82b7d2ca6
parent	5615ed043fa8d9756ea79c60f09110f29efaa081 (diff)