Fix #248 - Make a Debian package
This commit is contained in:
77
snow-scanner/debian/snow-scanner-worker.service
Normal file
77
snow-scanner/debian/snow-scanner-worker.service
Normal file
@ -0,0 +1,77 @@
|
||||
[Unit]
|
||||
Description=Snow scanner worker
|
||||
After=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
User=snow-scanner
|
||||
Group=snow-scanner
|
||||
EnvironmentFile=/etc/snow-scanner/worker.env
|
||||
|
||||
RemoveIPC=true
|
||||
ProtectHome=true
|
||||
NoNewPrivileges=true
|
||||
|
||||
PrivateTmp=false
|
||||
ProtectSystem=strict
|
||||
ProtectControlGroups=true
|
||||
ProtectKernelModules=true
|
||||
ProtectKernelTunables=true
|
||||
RestrictAddressFamilies=AF_INET AF_INET6
|
||||
RestrictNamespaces=true
|
||||
RestrictRealtime=true
|
||||
RestrictSUIDSGID=true
|
||||
MemoryDenyWriteExecute=true
|
||||
LockPersonality=true
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
ProtectProc=invisible
|
||||
ProtectClock=true
|
||||
ProcSubset=pid
|
||||
ProtectHostname=true
|
||||
ProtectKernelLogs=true
|
||||
# This will fail icmp pingers if set to true
|
||||
PrivateUsers=false
|
||||
|
||||
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
|
||||
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
|
||||
SystemCallFilter=~@pkey @ipc
|
||||
|
||||
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
|
||||
SystemCallErrorNumber=EPERM
|
||||
|
||||
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
|
||||
# Run: systemd-analyze security snow-scanner
|
||||
# Add this one for ports < 1024
|
||||
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
||||
#CapabilityBoundingSet=CAP_NET_RAW
|
||||
|
||||
SystemCallArchitectures=native
|
||||
|
||||
# Allow icmp
|
||||
#AmbientCapabilities=CAP_NET_RAW
|
||||
|
||||
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
||||
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
||||
# This is useful to turn off physical device access by the executed process
|
||||
PrivateDevices=true
|
||||
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
||||
DevicePolicy=closed
|
||||
|
||||
# No devices (except clock: ProtectClock)
|
||||
# See: https://github.com/systemd/systemd/issues/23185
|
||||
DeviceAllow=
|
||||
|
||||
BindReadOnlyPaths=/usr/share/snow-scanner
|
||||
|
||||
ExecStart=/usr/bin/snow-scanner-worker
|
||||
Restart=on-failure
|
||||
|
||||
LimitNOFILE=infinity
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
Reference in New Issue
Block a user