Akatsuki-Misaki/ArchiSteamFarm
1
0
Fork 0
mirror of https://github.com/JustArchiNET/ArchiSteamFarm.git synced 2026-01-01 14:10:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

Further systemd security hardening

Browse Source
This commit is contained in:
Archi
2021-10-09 01:19:23 +02:00
parent 454e9cdef4
commit b48e73d939
3 changed files with 12 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ArchiSteamFarm/overlay/generic-netf/ArchiSteamFarm@.service
View File

@@ -9,7 +9,7 @@ RestartSec=5s
SyslogIdentifier=asf-%i
User=%i
# ASF security hardening
# ASF security hardening, all of the below entries are optional, but their existence improves security of your system
LockPersonality=yes
PrivateDevices=yes
PrivateMounts=yes
@@ -21,7 +21,8 @@ ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
@@ -29,12 +30,9 @@ RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
# Not tested
# Not tested, waiting for systemd 248+ in Debian
#PrivateIPC=yes
# This list is incomplete, will likely crash your ASF, not to mention only a total madman would enable that
#SystemCallFilter=accept4 access arch_prctl bind chdir chmod clone close connect epoll_create1 epoll_ctl epoll_wait fadvise64 fcntl flock fstat fsync ftruncate getcwd getdents64 getpeername getrusage getsockname getsockopt inotify_add_watch inotify_init ioctl listen lseek lstat madvise mkdir mknod mprotect openat pipe pipe2 poll pread64 read readlink recvfrom recvmsg rename rmdir rt_sigaction rt_sigprocmask sched_get_priority_max sched_get_priority_min sched_getparam sched_getscheduler sched_setaffinity sched_setscheduler sendmmsg sendmsg sendto setsockopt shutdown sigaltstack socket stat statfs sysinfo uname unlink utimensat write
[Unit]
After=network.target network-online.target
Description=ArchiSteamFarm Service (on %I)

10
ArchiSteamFarm/overlay/generic/ArchiSteamFarm@.service
View File

@@ -9,7 +9,7 @@ RestartSec=5s
SyslogIdentifier=asf-%i
User=%i
# ASF security hardening
# ASF security hardening, all of the below entries are optional, but their existence improves security of your system
LockPersonality=yes
PrivateDevices=yes
PrivateMounts=yes
@@ -21,7 +21,8 @@ ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
@@ -29,12 +30,9 @@ RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
# Not tested
# Not tested, waiting for systemd 248+ in Debian
#PrivateIPC=yes
# This list is incomplete, will likely crash your ASF, not to mention only a total madman would enable that
#SystemCallFilter=accept4 access arch_prctl bind chdir chmod clone close connect epoll_create1 epoll_ctl epoll_wait fadvise64 fcntl flock fstat fsync ftruncate getcwd getdents64 getpeername getrusage getsockname getsockopt inotify_add_watch inotify_init ioctl listen lseek lstat madvise mkdir mknod mprotect openat pipe pipe2 poll pread64 read readlink recvfrom recvmsg rename rmdir rt_sigaction rt_sigprocmask sched_get_priority_max sched_get_priority_min sched_getparam sched_getscheduler sched_setaffinity sched_setscheduler sendmmsg sendmsg sendto setsockopt shutdown sigaltstack socket stat statfs sysinfo uname unlink utimensat write
[Unit]
After=network.target network-online.target
Description=ArchiSteamFarm Service (on %I)

10
ArchiSteamFarm/overlay/linux/ArchiSteamFarm@.service
View File

@@ -9,7 +9,7 @@ RestartSec=5s
SyslogIdentifier=asf-%i
User=%i
# ASF security hardening
# ASF security hardening, all of the below entries are optional, but their existence improves security of your system
LockPersonality=yes
PrivateDevices=yes
PrivateMounts=yes
@@ -21,7 +21,8 @@ ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=/home/%i/ArchiSteamFarm /tmp
RemoveIPC=yes
RestrictAddressFamilies=AF_INET AF_INET6
@@ -29,12 +30,9 @@ RestrictNamespaces=yes
RestrictRealtime=yes
RestrictSUIDSGID=yes
# Not tested
# Not tested, waiting for systemd 248+ in Debian
#PrivateIPC=yes
# This list is incomplete, will likely crash your ASF, not to mention only a total madman would enable that
#SystemCallFilter=accept4 access arch_prctl bind chdir chmod clone close connect epoll_create1 epoll_ctl epoll_wait fadvise64 fcntl flock fstat fsync ftruncate getcwd getdents64 getpeername getrusage getsockname getsockopt inotify_add_watch inotify_init ioctl listen lseek lstat madvise mkdir mknod mprotect openat pipe pipe2 poll pread64 read readlink recvfrom recvmsg rename rmdir rt_sigaction rt_sigprocmask sched_get_priority_max sched_get_priority_min sched_getparam sched_getscheduler sched_setaffinity sched_setscheduler sendmmsg sendmsg sendto setsockopt shutdown sigaltstack socket stat statfs sysinfo uname unlink utimensat write
[Unit]
After=network.target network-online.target
Description=ArchiSteamFarm Service (on %I)