diff mbox series

[RFC,rpcbind,3/4] systemd/rpcbind.service.in: Add various hardenings options

Message ID 20240823002322.1203466-4-pvorel@suse.cz (mailing list archive)
State New
Headers show
Series Update systemd/rpcbind.service.in | expand

Commit Message

Petr Vorel Aug. 23, 2024, 12:23 a.m. UTC 
We've been running rpcbind 1.2.6 with it in openSUSE since 2021.

NOTE: In systemd < 244 (released Nov 2019) some of these options are
unknown and will produce warnings, see

https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

Cc: Johannes Segitz <jsegitz@suse.com>
Signed-off-by: Petr Vorel <pvorel@suse.cz>
---
 systemd/rpcbind.service.in | 10 ++++++++++
 1 file changed, 10 insertions(+)
diff mbox series

Patch

diff --git a/systemd/rpcbind.service.in b/systemd/rpcbind.service.in
index c5bbd5e..272e55a 100644
--- a/systemd/rpcbind.service.in
+++ b/systemd/rpcbind.service.in
@@ -10,6 +10,16 @@  Requires=rpcbind.socket
 Wants=rpcbind.target
 
 [Service]
+ProtectSystem=full
+ProtectHome=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictRealtime=true
 Type=notify
 # distro can provide a drop-in adding EnvironmentFile=-/??? if needed.
 EnvironmentFile=-/etc/rpcbind.conf