Add systemd hardening options

Add the options suggested by the openSUSE maintainers (see #569 ) for systemd hardening. Signed-off-by: Ionut Mihalcea <[email protected]>
parallaxsecond · Jan 10, 2022 · 34ee501 · 34ee501
1 parent 62901b0
commit 34ee501
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/systemd-daemon/parsec.service b/systemd-daemon/parsec.service
@@ -5,6 +5,15 @@ Documentation=https://parallaxsecond.github.io/parsec-book/parsec_service/instal
 [Service]
 WorkingDirectory=/home/parsec/
 ExecStart=/usr/libexec/parsec/parsec --config /etc/parsec/config.toml
+# Systemd hardening
+ProtectSystem=full
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 
 [Install]
 WantedBy=default.target