nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

samba: Use systemd sandboxing for smbd/nmbd

Browse Source 
Test: Samba functional tests passed.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
This commit is contained in:
James Valleroy 2021-11-04 15:48:05 -04:00 committed by Sunil Mohan Adapa
parent 4bb0f81643
commit ff0dc01023
No known key found for this signature in database
GPG Key ID: 43EA1CFF0AA7C5F2
2 changed files with 31 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
plinth/modules/samba/data/usr/lib/systemd/system/nmbd.service.d/freedombox.conf Normal file
View File

@ -0,0 +1,16 @@
[Service]
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictRealtime=yes
SystemCallArchitectures=native

15
plinth/modules/samba/data/usr/lib/systemd/system/smbd.service.d/freedombox.conf Normal file
View File

@ -0,0 +1,15 @@
[Service]
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
PrivateDevices=yes
PrivateMounts=yes
PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectKernelTunables=yes
ProtectSystem=full
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK
RestrictRealtime=yes
SystemCallArchitectures=native