Merge pull request #246 from eriksjolund/adjust_restrict_address_fami…

…lies Improve security of systemd service rest-server.service by restricting network access
restic · Jul 23, 2023 · 0bb8cd4 · 0bb8cd4
2 parents c38e18b + ec2ce8c
commit 0bb8cd4
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/examples/systemd/rest-server.service b/examples/systemd/rest-server.service
@@ -2,9 +2,8 @@
 Description=Rest Server
 After=syslog.target
 After=network.target
-
-# if you want to use socket activation, make sure to require the socket here
-#Requires=rest-server.socket
+Requires=rest-server.socket
+After=rest-server.socket
 
 [Service]
 Type=simple
@@ -37,6 +36,11 @@ CapabilityBoundingSet=
 LockPersonality=true
 MemoryDenyWriteExecute=true
 NoNewPrivileges=yes
+
+# As the listen socket is created by systemd via the rest-server.socket unit, it is
+# no longer necessary for rest-server to have access to the host network namespace.
+PrivateNetwork=yes
+
 PrivateTmp=yes
 PrivateDevices=true
 PrivateUsers=true
@@ -51,7 +55,7 @@ ProtectProc=invisible
 ProtectHostname=true
 RemoveIPC=true
 RestrictNamespaces=true
-RestrictAddressFamilies=AF_INET AF_INET6
+RestrictAddressFamilies=none
 RestrictSUIDSGID=true
 RestrictRealtime=true
 # if your service crashes with "code=killed, status=31/SYS", you probably tried to run linux_i386 (32bit) binary on a amd64 host