Skip to content

Commit

Permalink
Configure systemd security features
Browse files Browse the repository at this point in the history
  • Loading branch information
Expertcoderz authored Dec 10, 2023
1 parent a11e6c7 commit 7a7a8ee
Showing 1 changed file with 36 additions and 0 deletions.
36 changes: 36 additions & 0 deletions keyd.service
Original file line number Diff line number Diff line change
Expand Up @@ -7,5 +7,41 @@ After=local-fs.target
Type=simple
ExecStart=/usr/bin/keyd

ProtectProc=noaccess
ProcSubset=pid
ProtectSystem=strict
ProtectHome=true
ReadOnlyPaths=/etc/keyd
PrivateTmp=true
DeviceAllow=input
DeviceAllow=uinput
ProtectHostname=true
ProtectClock=true

ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictNamespaces=true

RemoveIPC=true
RestrictAddressFamilies=AF_UNIX
PrivateNetwork=true
IPAddressDeny=any

NoNewPrivileges=true
LockPersonality=true
MemoryDenyWriteExecute=true
RestrictRealtime=true
RestrictSUIDSGID=true

SystemCallArchitectures=native
SystemCallFilter=@system-service
SystemCallFilter=~@privileged

CapabilityBoundingSet=CAP_SETGID CAP_SYS_NICE

UMask=177

[Install]
WantedBy=sysinit.target

0 comments on commit 7a7a8ee

Please sign in to comment.