nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

bind: Add CapabilityBoundingSet and ReadWritePaths to service file

Browse Source 
Change ProtectSystem to strict.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This commit is contained in:
James Valleroy 2020-02-01 13:03:12 -05:00 committed by Sunil Mohan Adapa
parent c18be280f6
commit 4fc3d14ac3
No known key found for this signature in database
GPG Key ID: 43EA1CFF0AA7C5F2
1 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
plinth/modules/bind/data/lib/systemd/system/bind9.service.d/freedombox.conf
View File

@ -1,4 +1,5 @@
[Service]
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_SETGID CAP_SETUID CAP_SYS_CHROOT CAP_SYS_RESOURCE
LockPersonality=yes
NoNewPrivileges=yes
PrivateDevices=yes
@ -9,7 +10,8 @@ ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
ProtectSystem=strict
ReadWritePaths=/var/lib/bind /var/cache/bind /var/run/named
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictRealtime=yes
SystemCallArchitectures=native