81 lines
2.6 KiB
Desktop File
81 lines
2.6 KiB
Desktop File
[Unit]
|
|
Description=Snow scanner worker
|
|
After=network.target
|
|
|
|
[Service]
|
|
Type=simple
|
|
User=snow-scanner
|
|
Group=snow-scanner
|
|
EnvironmentFile=/etc/snow-scanner/worker.env
|
|
|
|
RemoveIPC=true
|
|
ProtectHome=true
|
|
NoNewPrivileges=true
|
|
|
|
PrivateTmp=false
|
|
ProtectSystem=strict
|
|
ProtectControlGroups=true
|
|
ProtectKernelModules=true
|
|
ProtectKernelTunables=true
|
|
RestrictAddressFamilies=AF_INET AF_INET6
|
|
RestrictNamespaces=true
|
|
RestrictRealtime=true
|
|
RestrictSUIDSGID=true
|
|
MemoryDenyWriteExecute=true
|
|
LockPersonality=true
|
|
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
|
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
|
# This is useful to turn off physical device access by the executed process
|
|
PrivateDevices=true
|
|
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
|
DevicePolicy=closed
|
|
ProtectProc=invisible
|
|
ProtectClock=true
|
|
ProcSubset=pid
|
|
ProtectHostname=true
|
|
ProtectKernelLogs=true
|
|
# This will fail icmp pingers if set to true
|
|
PrivateUsers=false
|
|
|
|
SystemCallFilter=~@clock @cpu-emulation @debug @module @mount @obsolete
|
|
SystemCallFilter=~@privileged @raw-io @reboot @resources @swap @keyring
|
|
SystemCallFilter=~@pkey @ipc
|
|
|
|
# to return when the system call filter configured with SystemCallFilter= is triggered, instead of terminating the process immediately.
|
|
SystemCallErrorNumber=EPERM
|
|
|
|
# See: https://www.opensourcerers.org/2022/04/25/optimizing-a-systemd-service-for-security/
|
|
# Run: systemd-analyze security snow-scanner
|
|
# Add this one for ports < 1024
|
|
#CapabilityBoundingSet=CAP_NET_BIND_SERVICE
|
|
#CapabilityBoundingSet=CAP_NET_RAW
|
|
|
|
SystemCallArchitectures=native
|
|
|
|
# Allow icmp
|
|
#AmbientCapabilities=CAP_NET_RAW
|
|
|
|
# Add this one for ports < 1024
|
|
#AmbientCapabilities=CAP_NET_BIND_SERVICE
|
|
|
|
# sets up a new /dev/ mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random to it,
|
|
# but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others.
|
|
# This is useful to turn off physical device access by the executed process
|
|
PrivateDevices=true
|
|
# allows access to standard pseudo devices including /dev/null, /dev/zero, /dev/full, /dev/random, and /dev/urandom
|
|
DevicePolicy=closed
|
|
|
|
# No devices (except clock: ProtectClock)
|
|
# See: https://github.com/systemd/systemd/issues/23185
|
|
DeviceAllow=
|
|
|
|
BindReadOnlyPaths=/usr/share/snow-scanner
|
|
|
|
ExecStart=/usr/bin/snow-scanner-worker
|
|
Restart=on-failure
|
|
|
|
LimitNOFILE=infinity
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|