Systemd security settings

author: Rahul Sundaram <sundaram@fedoraproject.org> 2024-02-29 21:27:03 -0500
committer: Rahul Sundaram <sundaram@fedoraproject.org> 2024-02-29 21:29:40 -0500
commit: 83b8eba4f9aa0ce8a5e22ef1829df167f9bfd027 (patch)
tree: 8cd67c7a43d02621e8833db3de897d93b855f2a4
parent: f648ae06012d1de137f12095d1bd7aaacb382042 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/dbus/realmd.service.in b/dbus/realmd.service.in
index f0e8973..8fce139 100644
--- a/dbus/realmd.service.in
+++ b/dbus/realmd.service.in
@@ -6,3 +6,21 @@ Documentation=man:realm(8) man:realmd.conf(5)
 Type=dbus
 BusName=org.freedesktop.realmd
 ExecStart=@libexecdir@/realmd
+DevicePolicy=closed
+KeyringMode=private
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+PrivateDevices=yes
+ProtectClock=yes
+ProtectControlGroups=yes
+ProtectHome=yes
+ProtectHostname=yes
+ProtectKernelLogs=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectProc=invisible
+ProtectSystem=no
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+SystemCallArchitectures=native
author	Rahul Sundaram <sundaram@fedoraproject.org>	2024-02-29 21:27:03 -0500
committer	Rahul Sundaram <sundaram@fedoraproject.org>	2024-02-29 21:29:40 -0500
commit	83b8eba4f9aa0ce8a5e22ef1829df167f9bfd027 (patch)
tree	8cd67c7a43d02621e8833db3de897d93b855f2a4
parent	f648ae06012d1de137f12095d1bd7aaacb382042 (diff)