[Unit] Description=Snow scanner worker After=network.target After=snow-scanner.service Requires=snow-scanner.service [Service] Type=simple User=snow-scanner Group=snow-scanner EnvironmentFile=/etc/snow-scanner/worker.env RemoveIPC=true ProtectHome=true NoNewPrivileges=true PrivateTmp=false ProtectSystem=strict ProtectControlGroups=true ProtectKernelModules=true ProtectKernelTunables=true RestrictAddressFamilies=AF_INET AF_INET6 RestrictNamespaces=true RestrictRealtime=true RestrictSUIDSGID=true MemoryDenyWriteExecute=true LockPersonality=true # sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it, # but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. # This is useful to turn off physical device access by the executed process PrivateDevices=true # allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom DevicePolicy=closed ProtectProc=invisible ProtectClock=true ProcSubset=pid ProtectHostname=true ProtectKernelLogs=true # This will fail icmp pingers if set to true PrivateUsers=false SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring SystemCallFilter=~@pkey @ipc # to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately. SystemCallErrorNumber=EPERM # See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/ # Run: systemd-analyze security snow-scanner # Add this one for ports < 1024 #CapabilityBoundingSet=CAP_NET_BIND_SERVICE #CapabilityBoundingSet=CAP_NET_RAW SystemCallArchitectures=native # Allow icmp #AmbientCapabilities=CAP_NET_RAW # Add this one for ports < 1024 #AmbientCapabilities=CAP_NET_BIND_SERVICE # sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it, # but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. # This is useful to turn off physical device access by the executed process PrivateDevices=true # allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom DevicePolicy=closed # No devices (except clock: ProtectClock) # See: https://github.com/systemd/systemd/issues/23185 DeviceAllow= BindReadOnlyPaths=/usr/share/snow-scanner ExecStart=/usr/bin/snow-scanner-worker Restart=on-failure LimitNOFILE=infinity [Install] WantedBy=multi-user.target