From c9bc3a12987e74e0980fc8adcc4702d9f8ad4249 Mon Sep 17 00:00:00 2001 From: Jonas L Date: Tue, 27 Sep 2022 13:17:43 +0200 Subject: [PATCH] feat: extra systemd service hardening (#2197) --- analyzer/install/systemd/libretime-analyzer.service | 2 ++ api/install/systemd/libretime-api.service | 2 ++ playout/install/systemd/libretime-liquidsoap.service | 2 ++ playout/install/systemd/libretime-playout.service | 2 ++ worker/install/systemd/libretime-worker.service | 2 ++ 5 files changed, 10 insertions(+) diff --git a/analyzer/install/systemd/libretime-analyzer.service b/analyzer/install/systemd/libretime-analyzer.service index edc8f8f03..c18a64383 100644 --- a/analyzer/install/systemd/libretime-analyzer.service +++ b/analyzer/install/systemd/libretime-analyzer.service @@ -11,9 +11,11 @@ PrivateUsers=true ProtectClock=true ProtectControlGroups=true ProtectHome=true +ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true +ProtectProc=invisible ProtectSystem=full Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ diff --git a/api/install/systemd/libretime-api.service b/api/install/systemd/libretime-api.service index 670af405c..4bad49f88 100644 --- a/api/install/systemd/libretime-api.service +++ b/api/install/systemd/libretime-api.service @@ -12,9 +12,11 @@ PrivateUsers=true ProtectClock=true ProtectControlGroups=true ProtectHome=true +ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true +ProtectProc=invisible ProtectSystem=full Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ diff --git a/playout/install/systemd/libretime-liquidsoap.service b/playout/install/systemd/libretime-liquidsoap.service index 4d1b571f4..ae4bbba2e 100644 --- a/playout/install/systemd/libretime-liquidsoap.service +++ b/playout/install/systemd/libretime-liquidsoap.service @@ -11,9 +11,11 @@ PrivateUsers=true ProtectClock=true ProtectControlGroups=true ProtectHome=true +ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true +ProtectProc=invisible ProtectSystem=full Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ diff --git a/playout/install/systemd/libretime-playout.service b/playout/install/systemd/libretime-playout.service index f56a50257..daf46a144 100644 --- a/playout/install/systemd/libretime-playout.service +++ b/playout/install/systemd/libretime-playout.service @@ -13,9 +13,11 @@ PrivateUsers=true ProtectClock=true ProtectControlGroups=true ProtectHome=true +ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true +ProtectProc=invisible ProtectSystem=full Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@ diff --git a/worker/install/systemd/libretime-worker.service b/worker/install/systemd/libretime-worker.service index 57c39a170..3b8ad68e7 100644 --- a/worker/install/systemd/libretime-worker.service +++ b/worker/install/systemd/libretime-worker.service @@ -11,9 +11,11 @@ PrivateUsers=true ProtectClock=true ProtectControlGroups=true ProtectHome=true +ProtectHostname=true ProtectKernelLogs=true ProtectKernelModules=true ProtectKernelTunables=true +ProtectProc=invisible ProtectSystem=full Environment=LIBRETIME_CONFIG_FILEPATH=@@CONFIG_FILEPATH@@